Use explicit users and chown instad of umask 000

server/Dockerfile

@@ -1,14 +1,17 @@
 # dev build
 FROM ghcr.io/immich-app/base-server-dev:202507162011@sha256:85d4230c2208646bd6c528db41b2213d780b11b7a311397ca6a2aaba7cf697c8 AS dev
 
+ARG SERVER_USER=0
+ARG SERVER_GROUP=${SERVER_USER}
+
+RUN chown -R ${SERVER_USER}:${SERVER_GROUP} /usr/src/app
+USER ${SERVER_USER}:${SERVER_GROUP}
+
 WORKDIR /usr/src/app
-COPY ./server/package* ./server/
+COPY --chown=${SERVER_USER}:${SERVER_GROUP} ./server/package* ./server/
 WORKDIR /usr/src/app/server
-RUN  echo "umask 000" | tee /etc/profile /etc/bash.bashrc >/dev/null && \
-  umask 000 && \
-  chmod o+wx /usr/src/app && \
-  chmod o+wx /usr/src/app/server && \
-  mkdir -p /usr/src/app/upload && \
+
+RUN mkdir -p /usr/src/app/upload && \
   npm ci && \
   # exiftool-vendored.pl, sharp-linux-x64 and sharp-linux-arm64 are the only ones we need
   # they're marked as optional dependencies, so we need to copy them manually after pruning
@@ -22,23 +25,27 @@ ENTRYPOINT ["tini", "--", "/bin/bash", "-c"]
 
 FROM dev AS dev-container-server
 
-RUN rm -rf /usr/src/app
-RUN apt-get update && \
-  apt-get install sudo inetutils-ping openjdk-11-jre-headless \
+USER 0:0
+RUN rm -rf /usr/src/app && \
+  apt-get update && \
+  apt-get install inetutils-ping openjdk-11-jre-headless \
   vim nano \
   -y --no-install-recommends --fix-missing
 
-RUN usermod -aG sudo node
-RUN echo "node ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
-RUN mkdir -p /workspaces/immich
-COPY --chmod=777 ../.devcontainer/server/*.sh /immich-devcontainer/
+RUN mkdir -p /workspaces/immich/server/node_modules && \
+  mkdir -p /workspaces/immich/web/node_modules && \
+  mkdir -p /workspaces/immich/open-api/typescript-sdk/node_modules && \
+  chown -R ${SERVER_USER}:${SERVER_GROUP} /workspaces/immich
 
-COPY .. /tmp/create-dep-cache/
+USER $SERVER_USER:$SERVER_GROUP
+COPY --chmod=555 --chown=${SERVER_USER}:${SERVER_GROUP} ../.devcontainer/server/*.sh /immich-devcontainer/
+
+COPY --chown=${SERVER_USER}:${SERVER_GROUP} .. /tmp/create-dep-cache/
 WORKDIR /tmp/create-dep-cache
 RUN make ci-all && rm -rf /tmp/create-dep-cache
 
 FROM dev-container-server AS dev-container-mobile
-
+USER 0:0
 # Enable multiarch for arm64 if necessary
 RUN if [ "$(dpkg --print-architecture)" = "arm64" ]; then \
   dpkg --add-architecture amd64 && \
@@ -62,20 +69,20 @@ RUN mkdir -p ${FLUTTER_HOME} \
   && curl -C - --output flutter.tar.xz https://storage.googleapis.com/flutter_infra_release/releases/${FLUTTER_CHANNEL}/linux/flutter_linux_${FLUTTER_VERSION}-${FLUTTER_CHANNEL}.tar.xz \
   && tar -xf flutter.tar.xz --strip-components=1 -C ${FLUTTER_HOME} \
   && rm flutter.tar.xz \
-  && chown -R node ${FLUTTER_HOME}
+  && chown -R ${SERVER_USER}:${SERVER_GROUP} ${FLUTTER_HOME}
 
-RUN sudo apt-get update \
-  && wget -qO- https://dcm.dev/pgp-key.public | sudo gpg --dearmor -o /usr/share/keyrings/dcm.gpg \
-  && echo 'deb [signed-by=/usr/share/keyrings/dcm.gpg arch=amd64] https://dcm.dev/debian stable main' | sudo tee /etc/apt/sources.list.d/dart_stable.list \
-  && sudo apt-get update \
-  && sudo apt-get install dcm -y
-
-COPY --chmod=777 ../.devcontainer/mobile/container-mobile-post-create.sh /immich-devcontainer/container-mobile-post-create.sh
+RUN apt-get update \
+  && wget -qO- https://dcm.dev/pgp-key.public | gpg --dearmor -o /usr/share/keyrings/dcm.gpg \
+  && echo 'deb [signed-by=/usr/share/keyrings/dcm.gpg arch=amd64] https://dcm.dev/debian stable main' | tee /etc/apt/sources.list.d/dart_stable.list \
+  && apt-get update \
+  && apt-get install dcm -y
 
+USER $SERVER_USER:$SERVER_GROUP
 RUN dart --disable-analytics
 
 FROM dev AS prod
 
+USER 0:0
 COPY server .
 RUN npm run build
 RUN npm prune --omit=dev --omit=optional
@@ -85,6 +92,7 @@ COPY --from=dev /usr/src/app/server/node_modules/exiftool-vendored.pl ./node_mod
 # web build
 FROM node:22.16.0-alpine3.20@sha256:2289fb1fba0f4633b08ec47b94a89c7e20b829fc5679f9b7b298eaa2f1ed8b7e AS web
 
+USER 0:0
 WORKDIR /usr/src/app
 COPY ./web ./web/
 COPY ./i18n ./i18n/