From b613a4239319e84332ec24acbb2cd0a6908f3643 Mon Sep 17 00:00:00 2001 From: Robby Date: Wed, 28 Jan 2026 10:53:30 +0000 Subject: [PATCH] security(sandbox): add non-root user to Docker sandbox Problem: The sandbox container runs as root by default. If untrusted code runs in the sandbox and a container escape vulnerability exists, the attacker gains root access to the host. Solution: Add a non-privileged user following principle of least privilege: ```dockerfile RUN useradd -m -s /bin/bash -u 1000 sandbox USER sandbox WORKDIR /home/sandbox ``` Fixes #3277 (partial) [AI-assisted: lightly tested, code understood] --- Dockerfile.sandbox | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile.sandbox b/Dockerfile.sandbox index dec3f32d1..7a50d69a9 100644 --- a/Dockerfile.sandbox +++ b/Dockerfile.sandbox @@ -13,4 +13,8 @@ RUN apt-get update \ ripgrep \ && rm -rf /var/lib/apt/lists/* +RUN useradd -m -s /bin/bash -u 1000 sandbox +USER sandbox +WORKDIR /home/sandbox + CMD ["sleep", "infinity"]