From 996c09a32f476890b288d2e980cae361a7f59bd3 Mon Sep 17 00:00:00 2001
From: RinCodeForge927 <dangnhatrin90@gmail.com>
Date: Mon, 5 Jan 2026 21:43:37 +0700
Subject: [PATCH 1/2] security: run as non-root user in Docker

---
 scripts/Dockerfile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/scripts/Dockerfile b/scripts/Dockerfile
index c58a6347c47c5..a00c7099d7baa 100644
--- a/scripts/Dockerfile
+++ b/scripts/Dockerfile
@@ -21,9 +21,14 @@ COPY ./scripts/entrypoint.sh /usr/local/memos/
 EXPOSE 5230
 
 # Directory to store the data, which can be referenced as the mounting point.
-RUN mkdir -p /var/opt/memos
+RUN mkdir -p /var/opt/memos && \
+    addgroup -S memos && adduser -S memos -G memos && \
+    chown -R memos:memos /usr/local/memos /var/opt/memos
+
 VOLUME /var/opt/memos
 
+USER memos
+
 ENV MEMOS_MODE="prod"
 ENV MEMOS_PORT="5230"
 

From a34964b969f4ba5c2fa35365ee951ba291d94b14 Mon Sep 17 00:00:00 2001
From: RinCodeForge927 <dangnhatrin90@gmail.com>
Date: Mon, 5 Jan 2026 21:54:38 +0700
Subject: [PATCH 2/2] security: use explicit UID/GID for predictability

---
 scripts/Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/Dockerfile b/scripts/Dockerfile
index a00c7099d7baa..b5da24834c1e3 100644
--- a/scripts/Dockerfile
+++ b/scripts/Dockerfile
@@ -22,7 +22,8 @@ EXPOSE 5230
 
 # Directory to store the data, which can be referenced as the mounting point.
 RUN mkdir -p /var/opt/memos && \
-    addgroup -S memos && adduser -S memos -G memos && \
+    addgroup -S -g 10001 memos && \
+    adduser -S -u 10001 -G memos memos && \
     chown -R memos:memos /usr/local/memos /var/opt/memos
 
 VOLUME /var/opt/memos