From 73e68388c0d228c6e3f0189ed913316e1ea745dd Mon Sep 17 00:00:00 2001
From: anti <samuel@securejump.cl>
Date: Fri, 10 Apr 2026 02:27:02 -0400
Subject: [PATCH] fix(conpot): Refactor permissions to use dedicated decnet
 user via chown

---
 templates/conpot/Dockerfile | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/templates/conpot/Dockerfile b/templates/conpot/Dockerfile
index 0c688b4..2286c4f 100644
--- a/templates/conpot/Dockerfile
+++ b/templates/conpot/Dockerfile
@@ -13,8 +13,11 @@ RUN (apt-get update && apt-get install -y --no-install-recommends libcap2-bin 2>
 # Apply setcap to python binaries
 RUN find /usr /opt -type f -name 'python*' -exec setcap 'cap_net_bind_service+eip' {} \; 2>/dev/null || true
 
-# Make sure all conpot-related directories are writable by everyone so 'nobody' can run it
-RUN chmod -R 777 /var/log/conpot /opt/conpot /home/conpot /usr/local/lib/python*/site-packages/conpot/tests/data /tmp 2>/dev/null || true
+# Create the decnet user following repository conventions
+RUN (addgroup -S decnet && adduser -S decnet -G decnet 2>/dev/null) || useradd -r -s /bin/false decnet 2>/dev/null || true
 
-# Run as nobody, which avoids the root-check failure and the missing 'conpot' user error
-USER nobody
+# Make sure all conpot-related directories are owned by decnet so it can run it
+RUN chown -R decnet:decnet /var/log/conpot /opt/conpot /home/conpot /usr/local/lib/python*/site-packages/conpot/tests/data /tmp 2>/dev/null || true
+
+# Run as decnet user, avoiding the root-check failure and 777 hacks
+USER decnet