Is there any way to stop a user with dockerfile and docker-compose from assuming root inside of a docker container? The concern is, of course, security and least privilege and I would like to see if anyone has solved that issue. Thankyou ahead for your feedback.
Asked
Active
Viewed 170 times
1
-
TL;DR: no, anyone who can `docker run` anything can always get a root shell in your container or for that matter on the host. – David Maze Nov 25 '19 at 13:21
2 Answers
3
Docker run can be helpful here. When running containers you can specify the container process will run by xyz user who belongs to xyz group(optional).
--user , -u Username or UID (format: name|uid[:group|gid])
docker container run --rm \
--user <uid>:<gid> \ # Run as the given user
my-repo/my-image:latest
ankidaemon
- 1,363
- 14
- 20
0
As you can see the followings, you can use the --user/-u to specify a user (optionally with the group) in $ docker run command:
$ docker --version
Docker version 19.03.4, build 9013bf583a
$ docker run --help
Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]
Run a command in a new container
Options:
...
...
...
-u, --user string Username or UID (format: <name|uid>[:<group|gid>])
--userns string User namespace to use
--uts string UTS namespace to use
-v, --volume list Bind mount a volume
--volume-driver string Optional volume driver for the container
--volumes-from list Mount volumes from the specified container(s)
-w, --workdir string Working directory inside the container
So, you can use it like,
$ docker run --rm -it -u 65555 busybox id
uid=65555 gid=0(root)
$ docker run --rm -it -u 65555:65555 busybox id
uid=65555 gid=65555
Shudipta Sharma
- 5,178
- 3
- 19
- 33
-
1(Also `-u 0` to explicitly request root, even if the image specified something different.) – David Maze Nov 25 '19 at 13:22
-