security(sandbox): add non-root user to Docker sandbox

Problem:
The sandbox container runs as root by default. If untrusted code runs
in the sandbox and a container escape vulnerability exists, the attacker
gains root access to the host.

Solution:
Add a non-privileged user following principle of least privilege:
```dockerfile
RUN useradd -m -s /bin/bash -u 1000 sandbox
USER sandbox
WORKDIR /home/sandbox
```

Fixes #3277 (partial)
[AI-assisted: lightly tested, code understood]
This commit is contained in:
Robby 2026-01-28 10:53:30 +00:00
parent 9688454a30
commit b613a42393

View File

@ -13,4 +13,8 @@ RUN apt-get update \
ripgrep \
&& rm -rf /var/lib/apt/lists/*
RUN useradd -m -s /bin/bash -u 1000 sandbox
USER sandbox
WORKDIR /home/sandbox
CMD ["sleep", "infinity"]