From 9ff003c4c36b35d50330fe3b52d360d027529741 Mon Sep 17 00:00:00 2001
From: Aditya <97450298+1234-ad@users.noreply.github.com>
Date: Sun, 11 Jan 2026 00:58:58 +0530
Subject: [PATCH] security: run Etherpad container as non-root user (fixes
 #7134) (#7287)

Change the Docker Compose user from "0:0" (root) to "5001:0" (etherpad user)
to follow security best practices and the principle of least privilege.

The Dockerfile already creates a non-root user 'etherpad' with UID 5001
and GID 0, so this change aligns the docker-compose.yml configuration
with the Dockerfile's security model.

Benefits:
- Reduces attack surface by not running as root
- Follows Docker security best practices
- Aligns with the Dockerfile's existing non-root user setup
- Compatible with OpenShift and other platforms that restrict root containers
- Maintains group permissions (GID 0) for volume access

Fixes #7134
---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index f0620918c..e009c99f8 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,6 +1,6 @@
 services:
   app:
-    user: "0:0"
+    user: "5001:0"
     image: etherpad/etherpad:latest
     tty: true
     stdin_open: true