Docker remove root user from image at build time
I have a simple Dockerfile that is based on debian
FROM debian
USER 1001
I build it
docker build -t no-root:1 .
I run it
docker run --name test -it no-root:1
Now I have a non-root shell
I have no name!@2ac786ca2265:/$
But, I can exec into the container from another shell with
docker exec -it --user 0 test bash
And I get a root shell
root@e043edec4585:/#
And run root commands...
Is it possible the remove the root user from the system at build time so docker exec -it --user 0 test bash will fail?
I tried deleting the root line from /etc/passwd and /etc/group. It did not help. I'm able to docker exec -it --user 0 test bash in.
So - is there a way?
docker dockerfile
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
add a comment |
I have a simple Dockerfile that is based on debian
FROM debian
USER 1001
I build it
docker build -t no-root:1 .
I run it
docker run --name test -it no-root:1
Now I have a non-root shell
I have no name!@2ac786ca2265:/$
But, I can exec into the container from another shell with
docker exec -it --user 0 test bash
And I get a root shell
root@e043edec4585:/#
And run root commands...
Is it possible the remove the root user from the system at build time so docker exec -it --user 0 test bash will fail?
I tried deleting the root line from /etc/passwd and /etc/group. It did not help. I'm able to docker exec -it --user 0 test bash in.
So - is there a way?
docker dockerfile
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16
add a comment |
I have a simple Dockerfile that is based on debian
FROM debian
USER 1001
I build it
docker build -t no-root:1 .
I run it
docker run --name test -it no-root:1
Now I have a non-root shell
I have no name!@2ac786ca2265:/$
But, I can exec into the container from another shell with
docker exec -it --user 0 test bash
And I get a root shell
root@e043edec4585:/#
And run root commands...
Is it possible the remove the root user from the system at build time so docker exec -it --user 0 test bash will fail?
I tried deleting the root line from /etc/passwd and /etc/group. It did not help. I'm able to docker exec -it --user 0 test bash in.
So - is there a way?
docker dockerfile
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
I have a simple Dockerfile that is based on debian
FROM debian
USER 1001
I build it
docker build -t no-root:1 .
I run it
docker run --name test -it no-root:1
Now I have a non-root shell
I have no name!@2ac786ca2265:/$
But, I can exec into the container from another shell with
docker exec -it --user 0 test bash
And I get a root shell
root@e043edec4585:/#
And run root commands...
Is it possible the remove the root user from the system at build time so docker exec -it --user 0 test bash will fail?
I tried deleting the root line from /etc/passwd and /etc/group. It did not help. I'm able to docker exec -it --user 0 test bash in.
So - is there a way?
docker dockerfile
docker dockerfile
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
asked Nov 21 '18 at 12:20
Eldad AK
4,26473150
4,26473150
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16
add a comment |
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16
add a comment |
1 Answer
1
active
oldest
votes
Well it's simple enough to change users, something like the below which is an example I pinched off another site.
RUN useradd -c 'Node.js user' -m -d /home/node -s /bin/bash node
RUN chown -R node.node /src
USER node
ENV HOME /home/node
I don't recommend trying to delete the root user. The above should stop root from being used on docker exec.
And alternative is to create a .profile in the root users home directory which logs into a different user instead but this'll only affect usage of exec where you're running -it {container} bash (aka, interactive shell)
answered Nov 21 '18 at 12:41
George Appleton
609427
Adding your lines didn't help. I'm still logged in as root. Just with the/home/nodeas my default home. Did I miss something?
– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with thenodeuser. It's anexec --user 0from a new shell that allows root access.
– Eldad AK
Nov 21 '18 at 16:03
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l rootdisables root login, don't know why I didn't suggest that before
– George Appleton
Nov 21 '18 at 17:48
|
show 3 more comments
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53411914%2fdocker-remove-root-user-from-image-at-build-time%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Well it's simple enough to change users, something like the below which is an example I pinched off another site.
RUN useradd -c 'Node.js user' -m -d /home/node -s /bin/bash node
RUN chown -R node.node /src
USER node
ENV HOME /home/node
I don't recommend trying to delete the root user. The above should stop root from being used on docker exec.
And alternative is to create a .profile in the root users home directory which logs into a different user instead but this'll only affect usage of exec where you're running -it {container} bash (aka, interactive shell)
answered Nov 21 '18 at 12:41
George Appleton
609427
Adding your lines didn't help. I'm still logged in as root. Just with the/home/nodeas my default home. Did I miss something?
– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with thenodeuser. It's anexec --user 0from a new shell that allows root access.
– Eldad AK
Nov 21 '18 at 16:03
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l rootdisables root login, don't know why I didn't suggest that before
– George Appleton
Nov 21 '18 at 17:48
|
show 3 more comments
Well it's simple enough to change users, something like the below which is an example I pinched off another site.
RUN useradd -c 'Node.js user' -m -d /home/node -s /bin/bash node
RUN chown -R node.node /src
USER node
ENV HOME /home/node
I don't recommend trying to delete the root user. The above should stop root from being used on docker exec.
And alternative is to create a .profile in the root users home directory which logs into a different user instead but this'll only affect usage of exec where you're running -it {container} bash (aka, interactive shell)
answered Nov 21 '18 at 12:41
George Appleton
609427
Adding your lines didn't help. I'm still logged in as root. Just with the/home/nodeas my default home. Did I miss something?
– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with thenodeuser. It's anexec --user 0from a new shell that allows root access.
– Eldad AK
Nov 21 '18 at 16:03
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l rootdisables root login, don't know why I didn't suggest that before
– George Appleton
Nov 21 '18 at 17:48
|
show 3 more comments
Well it's simple enough to change users, something like the below which is an example I pinched off another site.
RUN useradd -c 'Node.js user' -m -d /home/node -s /bin/bash node
RUN chown -R node.node /src
USER node
ENV HOME /home/node
I don't recommend trying to delete the root user. The above should stop root from being used on docker exec.
And alternative is to create a .profile in the root users home directory which logs into a different user instead but this'll only affect usage of exec where you're running -it {container} bash (aka, interactive shell)
answered Nov 21 '18 at 12:41
George Appleton
609427
Well it's simple enough to change users, something like the below which is an example I pinched off another site.
RUN useradd -c 'Node.js user' -m -d /home/node -s /bin/bash node
RUN chown -R node.node /src
USER node
ENV HOME /home/node
I don't recommend trying to delete the root user. The above should stop root from being used on docker exec.
And alternative is to create a .profile in the root users home directory which logs into a different user instead but this'll only affect usage of exec where you're running -it {container} bash (aka, interactive shell)
answered Nov 21 '18 at 12:41
George Appleton
609427
answered Nov 21 '18 at 12:41
George Appleton
609427
answered Nov 21 '18 at 12:41
George Appleton
609427
answered Nov 21 '18 at 12:41
George Appleton
609427
609427
Adding your lines didn't help. I'm still logged in as root. Just with the/home/nodeas my default home. Did I miss something?
– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with thenodeuser. It's anexec --user 0from a new shell that allows root access.
– Eldad AK
Nov 21 '18 at 16:03
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l rootdisables root login, don't know why I didn't suggest that before
– George Appleton
Nov 21 '18 at 17:48
|
show 3 more comments
Adding your lines didn't help. I'm still logged in as root. Just with the/home/nodeas my default home. Did I miss something?
– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with thenodeuser. It's anexec --user 0from a new shell that allows root access.
– Eldad AK
Nov 21 '18 at 16:03
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l rootdisables root login, don't know why I didn't suggest that before
– George Appleton
Nov 21 '18 at 17:48
Adding your lines didn't help. I'm still logged in as root. Just with the
/home/node as my default home. Did I miss something?– Eldad AK
Nov 21 '18 at 15:00
Adding your lines didn't help. I'm still logged in as root. Just with the
/home/node as my default home. Did I miss something?– Eldad AK
Nov 21 '18 at 15:00
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
Those were just an example, you're using a Debian image so look up how to create a new user on Debian
– George Appleton
Nov 21 '18 at 16:01
The user is created correctly and the default container starts with the
node user. It's an exec --user 0 from a new shell that allows root access.– Eldad AK
Nov 21 '18 at 16:03
The user is created correctly and the default container starts with the
node user. It's an exec --user 0 from a new shell that allows root access.– Eldad AK
Nov 21 '18 at 16:03
1
1
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
Only people you trust should be accessing your docker socket. Restrict their permissions on their machines if you really have to I suppose. You cannot delete the root user without breaking your container though
– George Appleton
Nov 21 '18 at 17:42
sudo passwd -l root disables root login, don't know why I didn't suggest that before– George Appleton
Nov 21 '18 at 17:48
sudo passwd -l root disables root login, don't know why I didn't suggest that before– George Appleton
Nov 21 '18 at 17:48
|
show 3 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53411914%2fdocker-remove-root-user-from-image-at-build-time%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
AFAIK the answer is no. You can't prevent docker from creating a process as root (uid 0).
– vstm
Nov 21 '18 at 13:16