Drop privileges.

Dockerfile

@@ -12,8 +12,6 @@ RUN chown nobody:nogroup /data
 COPY mover.sh /mover.sh
 COPY entrypoint.sh /entrypoint.sh
 
-# Switch user
-USER nobody
 WORKDIR /tmp
 
 ENTRYPOINT [ "/tini", "--", "/entrypoint.sh" ]

entrypoint.sh

@@ -9,11 +9,13 @@ export INCOMING="${INCOMING:-${SHARED_WARCS_DIR}/incoming/}"
 export UPLOAD_QUEUE="${UPLOAD_QUEUE:-${SHARED_WARCS_DIR}/upload-queue/}"
 
 mkdir -pv "${INCOMING}"
+chown nobody:nogroup "${INCOMING}"
 mkdir -pv "${UPLOAD_QUEUE}"
+chown nobody:nogroup "${UPLOAD_QUEUE}"
 
 case "$1" in
 	"mover")
-		/mover.sh
+		setpriv --reuid=nobody --regid=nogroup --init-groups --inh-caps=-all /mover.sh
 		;;
 
 esac