Harden Linux container runtime by switching CallbackHandler to a non-root user

[Copilot]

The Linux Docker image for CallbackHandler did not declare a runtime user, so the application could start as root. This change hardens the container by running the app under a dedicated non-root account while preserving the existing runtime filesystem layout.

• Container runtime hardening

  • Add a dedicated txnproc user in /home/txnproc
  • Set the final image to run as USER txnproc

• Preserve existing runtime paths

  • Create the expected runtime directories up front:
    • /home/txnproc/config
    • /home/txnproc/trace
  • Ensure these directories remain writable/readable by the non-root runtime user

• Keep app startup behavior unchanged

  • Retain the existing published app layout under /app
  • Keep the existing entrypoint intact

FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS base
WORKDIR /app
RUN useradd --create-home --shell /usr/sbin/nologin txnproc \
    && install -d -o txnproc -g txnproc /home/txnproc/config /home/txnproc/trace

FROM base AS final
WORKDIR /app
COPY --from=publish /app/publish .
RUN chown -R txnproc:txnproc /app
USER txnproc
ENTRYPOINT ["dotnet", "CallbackHandler.dll"]

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• f.feedz.io
  • Triggering command: /usr/bin/dotnet dotnet build CallbackHandler.sln --configuration Release (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.</issue_title>
<issue_description>

Codacy ID: be6427fcb08f3ff17d0ff0305b40cf32

File: CallbackHandler/Dockerfile
Line: 25
Rule: Security (High)
Commit: 5c2c13630c67205156fc1779c5d732722a75a82f

Message: By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.

**Code Snippet:**
```csharp
ENTRYPOINT ["dotnet", "CallbackHandler.dll"] 
```

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. #228

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.