docker: entrypoint.sh privilege drop not enforced — bypassing it causes gateway processes to run as root

[renne]

Problem

The official Docker image has entrypoint.sh which drops from root → uid 10000 (hermes) via gosu. However, the CMD/ENTRYPOINT in the image can be overridden in compose.yml without including entrypoint.sh, silently bypassing the privilege drop.

Example misconfiguration:

# Missing entrypoint.sh — processes run as root
entrypoint: [tini, -g, --, /opt/data/bin/start-all-profiles.sh]

The correct form:

entrypoint: [tini, -g, --, /opt/hermes/docker/entrypoint.sh, /opt/data/bin/start-all-profiles.sh]

Impact

When gateway processes run as root they create files (gateway.lock, gateway.pid, profile lockfiles) owned by root:root. After the misconfiguration is corrected and the container restarts with entrypoint.sh, those files are left behind. The dashboard (uid 10000) then fails to open them, causing HTTP 500 on /api/status (see issue #18935) and the events feed disconnected UI error.

Suggestions

1. Documentation: add a warning in the compose/deployment docs that the entrypoint override must always include entrypoint.sh.
2. Defensive check in entrypoint.sh: if running as root and about to exec a non-entrypoint binary, warn or refuse.
3. start-all-profiles.sh self-check: assert $(id -u) != 0 at startup and exit with a clear error if run as root.

Environment

• Image: nousresearch/hermes-agent:latest (v0.12.0)
• Deployment: Docker Compose with shared volume ./data:/opt/data

Related

• Issue dashboard: PermissionError on stale root-owned gateway.lock crashes /api/status with HTTP 500 #18935: downstream effect (PermissionError on root-owned gateway.lock)