Reputation: 3762
Docker: How to disable root user in container?
Delivering images to customers they usually make
$ docker-compose up -d
to deploy those in production. It is easy to get root and to see / modify all file quite easy:
$ docker-compose exec <service> /bin/sh
/bin/sh(root)# ...
How can I avoid for customers to get full access rights to all files as root when running the container. Maybe this is not possible at all in Docker but then it should at least be more complicated for users to get full access to anything inside the container.
Is there a best practice to intrdoce non root accounts in containers?
Upvotes: 4
Views: 4046
Answers (1)
Reputation: 158908
You can’t. You can always run
docker exec -u 0 (container ID) sh
to get a root shell. (Assuming the image has a shell, but almost all do.)
Also remember that anyone who can run any docker command can edit any file on the host, and from there can trivially become root, and can prod around in /var/lib/docker to their heart’s content.
It’s generally considered good practice to set containers to run as non-root by RUN adduser to create a user using the base distribution’s tools and then a Dockerfile USER directive, but an operator can override this at runtime if they really want to.
Upvotes: 4
Related Questions
- How do I become root in a docker container
- How do I prevent root access to my docker container
- Is there a way to switch from a rootless user to a root user in a Docker container
- How to run docker container from non-root user?
- Become root in a docker container
- How to execute Docker container as root
- Docker remove root user from image at build time
- How to run docker-compose as root user Docker Cloud
- How to prevent root of the host OS from accessing content inside a container?
- How to disable the root access of a docker container?