COPY --chown and immutable paths

Definition

The COPY --chown directive in Dockerfiles allows users to set ownership of files and directories copied into a Docker image, enhancing security by ensuring that files are not owned by the root user unless necessary. Immutable paths refer to file paths that should not be altered during runtime, often enforced through security policies or file system attributes, to prevent unauthorized modifications and maintain system integrity.

Secure Settings Example

FROM alpine:latest
# Create a non-root user
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
# Copy files with specific ownership
COPY --chown=appuser:appgroup ./app /app

Insecure Settings Example

FROM alpine:latest
# Copy files without specifying ownership, defaulting to root
COPY ./app /app