Use a non-root user for all application files/directories, use another non-root user to run the CKAN processes

[kowh-ai]

One of the things that can increase security of the CKAN images/containers is to have a non-root user own all files and directories that are part of the application. Also to have another non-root user run the CKAN processes

This will be part the work on enhancements for a more production like environment

Repo: ckan-docker-base

For CKAN 2.10, 2.11 and master images (base and dev)

User: ckan-sys (id=502)- owns the files/directories that are part of the application and supporting libraries

User: ckan (id=503) - runs the application processes, owns files and directories it needs write access to

The primary group for the ckan-sys and ckan users is ckan-sys (id=503) - this is so if more granular write access for both users is needed in the future then this group could be used to do that

The following directories/file are required to be owned by the ckan-sys and ckan user:

ckan-sys
/srv/app/*
/docker-entrypoint.d/*
/usr/local/*

ckan
/srv/app/ckan.ini
/srv/app/src/*
/var/lib/ckan/*
/srv/app/src_extensions/ (for Development)

Repo: ckan-docker

The following directories/file are required to be owned by the ckan-sys user:

ckan-sys
/docker-entrypoint.d/
/srv/app/patches/*

[kowh-ai]

I will also include instructions on how to login to the running ckan container as the ckan-sys user