fix: Permission denied: /download

- Modify Dockerfile to establish `/download` directory permissions before setting the non-root user
- Update permissions for the copied distribution in `alpine.Dockerfile` from 774 to 775 and adjust user setup
- In `distroless.Dockerfile`, modify the permissions of the distribution copy and add steps for creating the `/download` directory with proper permissions
- Update `ubi.Dockerfile` to change the permissions of the copied distribution files and configure the `/download` directory for the non-root user
- Rearrange USER and VOLUME directives in Docker configurations to enhance security and compliance with non-root user standards

Signed-off-by: 陳鈞 <jim60105@gmail.com>

Dockerfile

@@ -16,13 +16,15 @@ COPY --link --from=mwader/static-ffmpeg:6.1.1 /ffmpeg /usr/bin/
 RUN addgroup -g $UID $UID && \
     adduser -H -g "" -D $UID -u $UID -G $UID
 
+# Run as non-root user
+RUN install -d -m 775 -o $UID -g 0 /download
+VOLUME [ "/download" ]
+
 # Remove these to prevent the container from executing arbitrary commands
 RUN rm /bin/echo /bin/ln /bin/rm /bin/sh
 
-# Run as non-root user
-USER $UID
 WORKDIR /download
-VOLUME [ "/download" ]
+USER $UID
 
 STOPSIGNAL SIGINT
 ENTRYPOINT [ "streamlink" ]

alpine.Dockerfile

@@ -39,16 +39,19 @@ RUN addgroup -g $UID $UID && \
 
 # Copy dist and support arbitrary user ids (OpenShift best practice)
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images
-COPY --chown=$UID:0 --chmod=774 \
+COPY --chown=$UID:0 --chmod=775 \
     --from=build /root/.local /home/$UID/.local
 ENV PATH="/home/$UID/.local/bin:$PATH"
 
+# Run as non-root user
+RUN install -d -m 775 -o $UID -g 0 /download
+VOLUME [ "/download" ]
+
 # Remove these to prevent the container from executing arbitrary commands
 RUN rm /bin/echo /bin/ln /bin/rm /bin/sh
 
-USER $UID
 WORKDIR /download
-VOLUME [ "/download" ]
+USER $UID
 
 STOPSIGNAL SIGINT
 ENTRYPOINT [ "streamlink" ]

distroless.Dockerfile

@@ -22,6 +22,8 @@ RUN --mount=type=cache,id=pip-$TARGETARCH$TARGETVARIANT,sharing=locked,target=/r
     find "/root/.local" -name '*.pyc' -print0 | xargs -0 rm -f || true ; \
     find "/root/.local" -type d -name '__pycache__' -print0 | xargs -0 rm -rf || true ;
 
+RUN install -d -m 775 -o 1000 -g 0 /download
+
 # Distroless image use monty(1000) for non-root user
 FROM al3xos/python-distroless:3.12-debian12 as final
 
@@ -30,13 +32,16 @@ COPY --link --from=mwader/static-ffmpeg:6.1.1 /ffmpeg /usr/bin/
 
 # Copy dist and support arbitrary user ids (OpenShift best practice)
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images
-COPY --chown=1000:0 --chmod=774 \
+COPY --chown=1000:0 --chmod=775 \
     --from=build /root/.local /home/monty/.local
 ENV PATH="/home/monty/.local/bin:$PATH"
 
-WORKDIR /download
+COPY --chown=1000:0 --chmod=775 \
+    --from=build /download /download
 VOLUME [ "/download" ]
 
+WORKDIR /download
+
 STOPSIGNAL SIGINT
 ENTRYPOINT [ "streamlink" ]
 CMD [ "--help" ]

ubi.Dockerfile

@@ -49,17 +49,19 @@ COPY --link --from=mwader/static-ffmpeg:6.1.1 /ffmpeg /usr/local/bin/
 
 # Copy dist and support arbitrary user ids (OpenShift best practice)
 # https://docs.openshift.com/container-platform/4.14/openshift_images/create-images.html#use-uid_create-images
-COPY --chmod=774 \
+COPY --chmod=775 \
     --from=build /root/.local /root/.local
 ENV PATH="/root/.local/bin:$PATH"
 ENV PYTHONPATH "${PYTHONPATH}:/root/.local/lib/python3.11/site-packages" 
 
+RUN install -d -m 775 -o $UID -g 0 /download
+VOLUME [ "/download" ]
+
 # Remove these to prevent the container from executing arbitrary commands
 RUN rm /bin/echo /bin/ln /bin/rm /bin/sh /bin/bash
 
-USER $UID
 WORKDIR /download
-VOLUME [ "/download" ]
+USER $UID
 
 STOPSIGNAL SIGINT
 ENTRYPOINT [ "streamlink" ]