Additional hardening

2025-12-07 09:36:05 -08:00 · 2025-10-12 21:00:27 -04:00
parent 1be91559d2
commit 5109a0881d
6 changed files with 64 additions and 101 deletions
--- a/Dockerfile.debian
+++ b/Dockerfile.debian
@@ -9,6 +9,9 @@
 # - read-only filesystem
 # - no sudo access
 # - least possible permissions on all files and folders
+# - Root user has all permissions revoked and is unused
+# - Secure umask applied so files are owner-only by default
+# - non-privileged user runs the application
 # - no shell access for non-privileged users
 # - no unnecessary packages or services
 # - reduced capabilities