From 0e456f33c10e9e5e716288fd9e0c0ac0691c8806 Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Thu, 5 May 2022 13:30:18 +0800
Subject: [PATCH] Run qbt-nox as non-root

This is mainly to avoid downloaded files being owned by root which
requires another one or two commands to change the file ownership.
---
 dist/docker/Dockerfile    | 10 +++++++++-
 dist/docker/entrypoint.sh | 15 +++++++++++----
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/dist/docker/Dockerfile b/dist/docker/Dockerfile
index 8bf8937f1..4b0bd4552 100644
--- a/dist/docker/Dockerfile
+++ b/dist/docker/Dockerfile
@@ -40,9 +40,17 @@ FROM alpine:latest
 
 RUN \
   apk --no-cache add \
+    doas \
     libtorrent-rasterbar \
     qt6-qtbase \
-    tini
+    tini && \
+  adduser \
+    -D \
+    -H \
+    -s /sbin/nologin \
+    -u 1000 \
+    qbtUser && \
+  echo "permit nopass :root" >> "/etc/doas.d/doas.conf"
 
 COPY --from=builder /usr/local/bin/qbittorrent-nox /usr/bin/qbittorrent-nox
 
diff --git a/dist/docker/entrypoint.sh b/dist/docker/entrypoint.sh
index 20f551217..c49f0b76c 100755
--- a/dist/docker/entrypoint.sh
+++ b/dist/docker/entrypoint.sh
@@ -1,5 +1,6 @@
 #!/bin/sh
 
+downloadsPath="/downloads"
 profilePath="/config"
 qbtConfigFile="$profilePath/qBittorrent/config/qBittorrent.conf"
 
@@ -22,7 +23,13 @@ EOF
     fi
 fi
 
-qbittorrent-nox \
-    --profile="$profilePath" \
-    --webui-port="$QBT_WEBUI_PORT" \
-    "$@"
+# those are owned by root by default
+# don't change existing files owner in `$downloadsPath`
+chown qbtUser:qbtUser "$downloadsPath"
+chown qbtUser:qbtUser -R "$profilePath"
+
+doas -u qbtUser \
+    qbittorrent-nox \
+        --profile="$profilePath" \
+        --webui-port="$QBT_WEBUI_PORT" \
+        "$@"