Docker > Building Images > Lectures 11 & 12 > User Permissions

This issue of moving the user creation to the top of the Dockerfile (first 2 minutes of lecture 12) has confused me.

I get that root user did the previous steps and has write permission where app user does not - so I can see that running npm start throws an error because the app user cannot write this .cache.

So now I presume that moving app user creation to the top solves the issue because now the app user is owner of everything that got copied and so has write permission within it.

But if that’s correct, doesn’t it invalidate what Mosh said at the very end of the lecture 11 about how changing the user at the end was good because otherwise a hacker can potentially make changes to the code?