docker build updates to improve security

Dockerfile

@@ -1,9 +1,23 @@
 # Dockerfile for Reddit Test Posts Bot
 FROM python:3.11-slim
+
+# Create a non-root user for running the bot
+RUN groupadd -g ${GROUP_ID:-1000} botgroup && \
+    useradd -u ${USER_ID:-1000} -g botgroup -m botuser
+
 WORKDIR /app
 COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
+
 COPY bot.py .
 COPY config.py .
+
+# Create DB directory with proper permissions
+RUN mkdir -p /app/DB && chown -R botuser:botgroup /app
+
 ENV PYTHONUNBUFFERED=1
+
+# Switch to non-root user
+USER botuser
+
 CMD ["python", "bot.py"]

README.md

@@ -79,10 +79,35 @@ docker run \
 ### Docker Compose
 
 ```bash
-# Edit docker-compose.yml with your credentials
+# Edit prod.env with your credentials, then:
 docker-compose up
 ```
 
+#### Security: Running as Non-Root User
+
+By default, the container runs as a non-root user (UID 1000, GID 1000) for improved security. You can customize the user and group IDs by setting environment variables before running:
+
+```bash
+# Use specific user and group IDs
+USER_ID=1001 GROUP_ID=1001 docker-compose up
+
+# Use default (1000:1000)
+docker-compose up
+```
+
+The user and group IDs can also be specified in a `.env` file:
+
+```env
+USER_ID=1001
+GROUP_ID=1001
+REDDIT_CLIENT_ID=your_client_id
+REDDIT_CLIENT_SECRET=your_client_secret
+REDDIT_USERNAME=bot_username
+REDDIT_PASSWORD=bot_password
+SUBREDDIT=your_subreddit
+WIKI_PAGE=testpostsbot_config
+```
+
 ### Standalone
 
 ```bash
@@ -96,3 +121,10 @@ python bot.py
 - The config is fetched fresh for each trigger, so you can update the wiki while the bot is running.
 - Only the first matching trigger per message is processed.
 - All processed messages are tracked in `DB/chat_wiki_requests.txt` to avoid duplicate processing.
+
+## Security
+
+- **Non-Root Execution:** The Docker container runs as a non-root user (UID 1000, GID 1000) by default to minimize security risks. This can be customized via `USER_ID` and `GROUP_ID` environment variables.
+- **Credentials:** Store Reddit API credentials in environment variables or `.env` files, never hardcode them.
+- **Moderator-Only Commands:** All bot triggers and commands require the sender to be a moderator of the target subreddit.
+- **DB Directory:** Processed message IDs are stored in a local `DB/` directory to prevent duplicate processing and maintain stateful operation.

docker-compose.yml

@@ -1,6 +1,14 @@
 services:
   testpostsbot:
     image: slfhstd.uk/slfhstd/testpostsbot:dev
+    build:
+      context: .
+      args:
+        - USER_ID=${USER_ID:-1000}
+        - GROUP_ID=${GROUP_ID:-1000}
     env_file:
       - prod.env
+    user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
     restart: unless-stopped
+    volumes:
+      - ./DB:/app/DB