28

Is root the default user when calling docker exec (without --user)?

Does a USER line in the Dockerfile affect the default user for docker exec?

Community
  • 1
  • 1
bcb
  • 1,977
  • 2
  • 22
  • 21

3 Answers3

28

The default user in docker exec is the same user used to start the container which can be set in docker run or your compose file.

If you do not explicitly set the user when starting the container, it will default to the user configured in the image, you can inspect the image to look this up. This is configured by the last USER line in the Dockerfile. It may also be configured by a parent image specified by the FROM line.

If neither the image, nor the run command specifies a user, docker defaults to root, uid 0.

ti7
  • 16,375
  • 6
  • 40
  • 68
BMitch
  • 231,797
  • 42
  • 475
  • 450
11

Does a USER line in the Dockerfile affect the default user for docker exec?

Yes, as the docs mention:

The USER instruction sets the user name (or UID) and optionally the user group (or GID) to use when running the image and for any RUN, CMD and ENTRYPOINT instructions that follow it in the Dockerfile.

Here's an example Dockerfile which creates a user and makes that as the run user.

cat Dockerfile
FROM ubuntu:latest
RUN useradd -r sathya
USER sathya

Build the image

docker build -t sathya:user .
Sending build context to Docker daemon  19.46kB
Step 1/3 : FROM ubuntu:latest
 ---> 113a43faa138
Step 2/3 : RUN useradd -r sathya
 ---> Running in 5b72508a891d
Removing intermediate container 5b72508a891d
 ---> b81692196e13
Step 3/3 : USER sathya
 ---> Running in d43d399a86ac
Removing intermediate container d43d399a86ac
 ---> c0388a898992
Successfully built c0388a898992
Successfully tagged sathya:user

Run a container

docker run -it -d sathya:user bash
0903e85fa4de4bb820f015f3ff2bbca9eb2c038814ff7ea809519334687597c7

Exec the container. See that the running user is the default user specified

docker exec -it 0903e85fa4de bash
sathya@0903e85fa4de:/$ whoami
sathya
Sathyajith Bhat
  • 21,321
  • 22
  • 95
  • 134
  • That says "when running the image", not when executing a command inside a running container. When I do `docker exec -it my_container bash`, I'm in as root, despite the USER line in the Dockerfile. – bcb Aug 29 '18 at 06:30
  • did you build the image? It works fine for me. See the example above – Sathyajith Bhat Aug 29 '18 at 07:33
  • You're right, the problem was in docker-compose.yml, it has `user: root`. – bcb Aug 29 '18 at 09:04
-1

When you run an interactive terminal into your container you can just run the

whoami

command in either Windows or Linux to get the effective user. And yes it will be the same user you've defined to run your container in docker run or with USER in the dockerfile. By default, I believe the default Windows user is ContainerAdministrator and Linux it is root.

I find it's a good security practice to run the containers with ContainerUser instead in Windows. It's basically an authenticated user with a few more permissions but far less than an administrator.

Charles Owen
  • 2,403
  • 1
  • 14
  • 25