openclaw/Dockerfile.sandbox
Robby b613a42393 security(sandbox): add non-root user to Docker sandbox
Problem:
The sandbox container runs as root by default. If untrusted code runs
in the sandbox and a container escape vulnerability exists, the attacker
gains root access to the host.

Solution:
Add a non-privileged user following principle of least privilege:
```dockerfile
RUN useradd -m -s /bin/bash -u 1000 sandbox
USER sandbox
WORKDIR /home/sandbox
```

Fixes #3277 (partial)
[AI-assisted: lightly tested, code understood]
2026-01-28 10:53:30 +00:00

21 lines
365 B
Docker

FROM debian:bookworm-slim
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
bash \
ca-certificates \
curl \
git \
jq \
python3 \
ripgrep \
&& rm -rf /var/lib/apt/lists/*
RUN useradd -m -s /bin/bash -u 1000 sandbox
USER sandbox
WORKDIR /home/sandbox
CMD ["sleep", "infinity"]