Minimise root ownership of application files

[kowh-ai]

Fixes: this issue

To improve the security of CKAN images and containers, it is advised that all files and directories related to the application be assigned to a dedicated non-root user. Moreover, running CKAN processes under a separate non-root user account strengthens system security by minimising the privileges of the running services.

To be applied along with the main ckan-docker-base update: ckan/ckan-docker-base#80

[wardi]

@kowh-ai I'm just testing the README's "Create an extension" section and it's now failing with a permission error.

I can get past it with a change to the command like:

docker compose -f docker-compose.dev.yml exec -u `stat -c '%u' src` -e HOME=/srv/app/src_extensions ckan-dev ckan generate extension --output-dir /srv/app/src_extensions

This has the benefit of creating the files as the correct UID from outside the container, so these last two paragraphs can be removed from the section:

The files will be owned by root, to correct the ownership so you can edit the files with your normal account outside the container run:

docker compose -f docker-compose.dev.yml exec ckan-dev chown --reference /srv/app/src_extensions/ -R /srv/app/src_extensions/ckanext-mytheme/

But maybe that command is getting long to type in? We could consider putting the "create an extension" command into a script in this repo, what do you think?

[wardi]

I've made these changes in #185