From 8399bc7a045d50a9ae1bd3a31c58c0259a1b8d75 Mon Sep 17 00:00:00 2001
From: Bjarne Laumann <bjarne.laumann@fh-muenster.de>
Date: Sat, 12 Apr 2025 00:22:52 +0200
Subject: [PATCH] Added user flag to docker run command

---
 README.md | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index b5cbca928..3b17b1a41 100644
--- a/README.md
+++ b/README.md
@@ -117,7 +117,9 @@ On Linux, you can deploy smp and xftp server using Docker. This will download im
 
    - `smp-server`
    
-     You must change **your_ip_or_domain**. `-e "pass=password"` is optional variable to password-protect your `smp` server:
+     - You must change **your_ip_or_domain**.
+     - `-e "pass=password"` is an optional variable, used to password-protect your `smp` server.
+     - You should run the container as a non-root user (`-u "non_root_user_id"`), since this is the most effective mitigation against privilege escalation vulnerabilities.
      ```sh
      docker run -d \
          -e "ADDR=your_ip_or_domain" \
@@ -125,12 +127,14 @@ On Linux, you can deploy smp and xftp server using Docker. This will download im
          -p 5223:5223 \
          -v $HOME/simplex/smp/config:/etc/opt/simplex:z \
          -v $HOME/simplex/smp/logs:/var/opt/simplex:z \
+         -u "non_root_user_id"
          simplexchat/smp-server:latest
      ```
 
    - `xftp-server`
    
-     You must change **your_ip_or_domain** and **maximum_storage**.
+     - You must change **your_ip_or_domain** and **maximum_storage**.
+     - You should run the container as a non-root user (`-u "non_root_user_id"`), since this is the most effective mitigation against privilege escalation vulnerabilities.
      ```sh
      docker run -d \
          -e "ADDR=your_ip_or_domain" \
@@ -139,6 +143,7 @@ On Linux, you can deploy smp and xftp server using Docker. This will download im
          -v $HOME/simplex/xftp/config:/etc/opt/simplex-xftp:z \
          -v $HOME/simplex/xftp/logs:/var/opt/simplex-xftp:z \
          -v $HOME/simplex/xftp/files:/srv/xftp:z \
+         -u "non_root_user_id"
          simplexchat/xftp-server:latest
      ```
 
@@ -188,7 +193,9 @@ On Linux, you can build smp server using Docker.
 
    - `smp-server`
    
-     You must change **your_ip_or_domain**. `-e "pass=password"` is optional variable to password-protect your `smp` server:
+     - You must change **your_ip_or_domain**.
+     - `-e "pass=password"` is an optional variable, used to password-protect your `smp` server.
+     - You should run the container as a non-root user (`-u "non_root_user_id"`), since this is the most effective mitigation against privilege escalation vulnerabilities.
      ```sh
      docker run -d \
          -e "ADDR=your_ip_or_domain" \
@@ -196,12 +203,14 @@ On Linux, you can build smp server using Docker.
          -p 5223:5223 \
          -v $HOME/simplex/smp/config:/etc/opt/simplex:z \
          -v $HOME/simplex/smp/logs:/var/opt/simplex:z \
+         -u "non_root_user_id"
          simplexchat/smp-server:latest
      ```
 
    - `xftp-server`
    
-     You must change **your_ip_or_domain** and **maximum_storage**.
+     - You must change **your_ip_or_domain** and **maximum_storage**.
+     - You should run the container as a non-root user (`-u "non_root_user_id"`), since this is the most effective mitigation against privilege escalation vulnerabilities.
      ```sh
      docker run -d \
          -e "ADDR=your_ip_or_domain" \
@@ -210,6 +219,7 @@ On Linux, you can build smp server using Docker.
          -v $HOME/simplex/xftp/config:/etc/opt/simplex-xftp:z \
          -v $HOME/simplex/xftp/logs:/var/opt/simplex-xftp:z \
          -v $HOME/simplex/xftp/files:/srv/xftp:z \
+         -u "non_root_user_id"
          simplexchat/xftp-server:latest
      ```