Lockdown rails app in production for security (rails#47594)

rubys · web-flow · commit 6f50d40d30f0 · 2023-03-08T14:37:18.000+01:00
Current Dockerfile generated by Rails runs as a non-root user which prevents modification of the operating system but leaves wide open all gems and the application itself. This change locks down the application gems and only opens up access to the following directories: db, log, storage, tmp This is a even more secure alternative to rails#47580
diff --git a/railties/lib/rails/generators/rails/app/templates/Dockerfile.tt b/railties/lib/rails/generators/rails/app/templates/Dockerfile.tt
@@ -72,13 +72,14 @@ RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y <%= dockerfile_deploy_packages.join(" ") %> && \
     rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
-# Run and own the application files as a non-root user for security
-RUN useradd rails --home /rails --shell /bin/bash
-USER rails:rails
-
 # Copy built artifacts: gems, application
-COPY --from=build --chown=rails:rails /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=rails:rails /rails /rails
+COPY --from=build /usr/local/bundle /usr/local/bundle
+COPY --from=build /rails /rails
+
+# Run and own only the runtime files as a non-root user for security
+RUN useradd rails --home /rails --shell /bin/bash && \
+    chown -R rails:rails db log storage tmp
+USER rails:rails
 
 # Entrypoint prepares the database.
 ENTRYPOINT ["/rails/bin/docker-entrypoint"]
