Embedded Files
Introduction
Introduction
Laymen explanation
Laymen explanation
If you have worked on container, then you can see that you need not provide user info while creating container. You may be wondering from where it is getting user info. This document helps in this.
Technical explanation
Technical explanation
A docker container by default runs as root user. This can be overridden by Dockerfile. A non root user can be created in Dockerfile. 'docker exec' command by default uses the user info mentioned in the Dockerfile, else it uses the root user.
Risk of having root container
Risk of having root container
A root user inside container is a root user in the host
Root inside container, root outside container
By default, a container runs as root user
# docker run -dt --name dktest ubuntu:14.04
a604604393a8ffecd8a7c322389cec009af0c73c217fe5064cd617107bccae57
# docker top dktest -> UID in host
UID PID PPID C STIME TTY TIME CMD
root 24376 24359 0 10:08 pts/0 00:00:00 /bin/bash
# docker exec -it dktest bash
root@a604604393a8:/# ps -auf -> UID in container
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 15 0.3 0.0 18184 3132 pts/1 Ss 04:38 0:00 bash
root 30 0.0 0.0 15576 2140 pts/1 R+ 04:38 0:00 \_ ps -auf
root 1 0.0 0.0 18180 3152 pts/0 Ss+ 04:38 0:00 /bin/bash
nonroot inside container, nonroot outside container
# docker run -dt --name dktest --user nobody --entrypoint /bin/bash ubuntu:14.04
6b3c58b37986beccbe7e85af8ff4068bdf344d755f3525869afcdbcce88cbaf1
# docker top dktest -> UID in host machine
UID PID PPID C STIME TTY TIME CMD
nobody 22118 22101 0 10:04 pts/0 00:00:00 /bin/bash
# docker exec -it dktest bash
nobody@6b3c58b37986:/$ ps -auf -> UID inside container
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
nobody 8 0.5 0.0 18168 3276 pts/1 Ss 04:35 0:00 bash
Remember that a process running in a container is no different from other process running on Linux, except it has a small piece of metadata that declares that it’s in a container. Containers are not trust boundaries, so therefore, anything running in a container should be treated with the same consideration as anything running on the host itself.
A container with root user can access host machine data which is not accessible in host by non-root
container accessing data owned by root user in host
root@ubuntu-232:~/deepak/cpxlicense# whoami
root
root@ubuntu-232:~/deepak/cpxlicense# echo "private key is mysecret" >>/root/topsecret.txt
root@ubuntu-232:~/deepak/cpxlicense# chmod 050 /root/topsecret.txt
root@ubuntu-232:~/deepak/cpxlicense# ls -ltrh /root/topsecret.txt
----r-x--- 1 root root 24 Feb 20 16:03 /root/topsecret.txt
root@ubuntu-232:~/deepak/cpxlicense# chmod 060 /root/topsecret.txt
root@ubuntu-232:~/deepak/cpxlicense# ls -ltrh /root/topsecret.txt
----rw---- 1 root root 24 Feb 20 16:03 /root/topsecret.txt
root@ubuntu-232:~/deepak/cpxlicense# su - nonroot
No directory, logging in with HOME=/
$ cat /root/topsecret.txt
cat: /root/topsecret.txt: Permission denied
$ sudo docker run -dt --name dktest --user nobody -v /root:/root ubuntu:14.04
77e7b0f3e454772195ee350949331fc8218558263960cba1fc65488bceb4cf9b
$ sudo docker exec -it dktest bash
nobody@77e7b0f3e454:/$ cat /root/topsecret.txt
cat: /root/topsecret.txt: Permission denied
$ sudo docker rm -f dktest
dktest
$ sudo docker run -dt --name dktest -v /root:/root ubuntu:14.04
cb29d7332ae2f5234cb04bd09b2e61371d6a67ba6d68d10c50a38ba4f13e7d20
$ sudo docker exec -it dktest bash
root@cb29d7332ae2:/# cat /root/topsecret.txt
private key is mysecret
root@cb29d7332ae2:/#
Method to create docker container with non-root user and console access
Method to create docker container with non-root user and console access
Text Box
# docker run -dt -P --name dktest -e EULA=yes --privileged=true --user nobody --entrypoint /bin/bash ubuntu:14.04
c4ce651258c68a427fa0652ae5a35ee3985102e815cd9f0197dc0a2d050c7e75
# docker exec -it --user nobody dktest /bin/bash
nobody@c4ce651258c6:/$ whoami
nobody
# cat /etc/passwd | egrep -i 'root|nobody'
root:x:0:0:root:/root:/bin/bash
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
# docker exec -it --user nobody2 dktest /bin/bash
unable to find user nobody2: no matching entries in passwd file
# docker exec -it --user root dktest /bin/bash
root@c4ce651258c6:/# whoami
root
Alternate approach
Alternate approach
There are CRIs, for example Podman CRI, which by default creates container which doesn't have root access outside container. This approach can mitigate the issue
Reference
Reference
https://www.redhat.com/en/blog/understanding-root-inside-and-outside-container
https://suraj.io/post/root-in-container-root-on-host/
https://stackoverflow.com/questions/35734474/connect-to-docker-container-as-user-other-than-root
https://medium.com/@mccode/processes-in-containers-should-not-run-as-root-2feae3f0df3b
https://images.app.goo.gl/4KqwuAFTZLHt3YbPA
https://www.linkedin.com/posts/dpkumar_containersecurity-docker-containerhandling-activity-6776430212579237888-ijkQ
Page updated
Google Sites
Report abuse