CODEWITHSUNDEEP
node.jsdockerpermissionschown
qqilihq
qqilihq

Reputation: 11454

docker-node: Running as non-root user, file permissions

Following docker-node’s best practices, I want to run my node app as non-root user. The recommendation is as follows:

FROM node:6.10.3
...
# At the end, set the user to use when running this image
USER node

My simplified Dockerfile currently looks like this:

FROM node:6.10.3
WORKDIR /opt/app
COPY package.json .
RUN npm install
COPY . .
EXPOSE 3000
USER node
CMD ["node", "server.js"]

So, all the files added during image build are owned by root, but node server.js is run as the node user. This seems to work fine.

My question: Is there any additional security benefit from chown-ing the files so that they belong to node instead of root? I.e. doing something like:

RUN chown -R node:node .

Upvotes: 12

Views: 15097

Answers (1)

eljefedelrodeodeljefe
eljefedelrodeodeljefe

Reputation: 6791

It definitely does, however I would also remove the chown binary (as well as all admin tools). This would make it harder when someone accesses the container as e.g. root. See here for a related answer.

Also, see this Dockerfile for inspiration.

Upvotes: 7

Related Questions