Security rethink - separate users for build and run #141
Description
Having code files be writeable by the runtime user is bad practice. Rebuilding the container might make removing maliciously installed apps easier, but we should make it hard to do this in the first place.
The runtime user needs to be a non-root user, and different to the build time user. There's been a move to not using root for the build, which is no doubt a good thing, but it means the build user cannot assign ownership of anything to the runtime user, so we should presumably use a shared group.
supposing we have users called 'build' and 'runtime', and as well as same-named default groups, build is a member of group 'runtime'. That way the group ownership and write-mode of files can be used to make areas writeable as necessary.
Alternatively, user 'build' might have 'runtime' as its default group, meaning just the group write permissions get used to govern write at runtime. This is perhaps problematic though when files are being sourced from third parties where the permissions are not so easily controlled. e.g. from git or tarball.