fix: non-root user support in Dockerfile (#45)

* feat: defer privilege dropping to entrypoint for TEE initialization

* feat: standardize ORIGINAL_USER environment variable with __EIGENX_ prefix

* fix privilege dropping to preserve command arguments correctly

Author: solimander

internal/templates/docker/Dockerfile.layered.tmpl

@@ -32,8 +32,8 @@ RUN chmod 755 /usr/local/bin/compute-source-env.sh \
     && chmod 755 /usr/local/bin/caddy{{- end}} \
     && chmod 644 /usr/local/bin/kms-signing-public-key.pem
 
-# Switch back to the original user from base image
-USER {{.OriginalUser}}
+# Store original user - entrypoint will drop privileges to this user after TEE setup
+ENV __EIGENX_ORIGINAL_USER={{.OriginalUser}}
 {{- else}}
 # Make binaries executable (preserve existing permissions, just add execute)
 RUN chmod +x /usr/local/bin/compute-source-env.sh \

internal/templates/scripts/compute-source-env.sh.tmpl

@@ -107,4 +107,11 @@ setup_tls() {
 setup_tls
 
 echo "compute-source-env.sh: Environment sourced."
+
+# Drop privileges to original user for the application command
+if [ -n "$__EIGENX_ORIGINAL_USER" ] && [ "$(id -u)" = "0" ]; then
+    echo "compute-source-env.sh: Dropping privileges to user: $__EIGENX_ORIGINAL_USER"
+    exec su -s /bin/sh "$__EIGENX_ORIGINAL_USER" -c 'exec "$@"' -- sh "$@"
+fi
+
 exec "$@"

pkg/hooks/hooks.go

@@ -244,7 +244,8 @@ var versionCheckChannel = make(chan *common.UpdateInfo, 1)
 // InitVersionCheck starts an async version check for prod builds
 func InitVersionCheck(cCtx *cli.Context) {
 	// Skip for non-prod builds or specific commands
-	if common.Build != "prod" || cCtx.Command.Name == "upgrade" || cCtx.Command.Name == "version" || cCtx.Command.Name == "help" {
+	subcommand := cCtx.Args().First()
+	if common.Build != "prod" || subcommand == "upgrade" || subcommand == "version" || subcommand == "help" {
 		return
 	}