Skip to content

Instantly share code, notes, and snippets.

@avishayp
Created September 25, 2018 19:02
Show Gist options
  • Save avishayp/33fcee06ee440524d21600e2e817b6b7 to your computer and use it in GitHub Desktop.
Save avishayp/33fcee06ee440524d21600e2e817b6b7 to your computer and use it in GitHub Desktop.
Add non-root user for alpine linux
# non root user example for alpine
#
# usage:
# $ docker build --build-arg "USER=someuser" --tag test .
# $ docker run --rm test
FROM alpine
ARG USER=default
ENV HOME /home/$USER
# install sudo as root
RUN apk add --update sudo
# add new user
RUN adduser -D $USER \
&& echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
&& chmod 0440 /etc/sudoers.d/$USER
USER $USER
WORKDIR $HOME
# files in /home/$USER to be owned by $USER
# docker has --chown flag for COPY, but it does not expand ENV so we fallback to:
# COPY src src
# RUN sudo chown -R $USER:$USER $HOME
CMD echo "User $(whoami) running from $PWD with premissions: $(sudo -l)"
@mindthump
Copy link

Excellent: brief, to the point, very useful!

@suruaku
Copy link

suruaku commented Mar 29, 2021

What's the point here in making non root user but still giving him ability to become without password?

@mindthump
Copy link

suraku - This technique is for accidental mistake mitigation, not security. Running as root in a container is potentially dangerous, so (for the same reason you give any user passwordless sudo) you don't need to externally share a password with every user that runs the image.

@pebojote
Copy link

Doesn't work anymore
#8 2.695 /bin/sh: can't create /etc/sudoers.d/default: nonexistent directory

@pebojote
Copy link

This is working for me:

# add new user
RUN adduser -D $USER \
        && mkdir -p /etc/sudoers.d \
        && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
        && chmod 0440 /etc/sudoers.d/$USER

@mindthump
Copy link

@workpebojot -- Thanks for the feedback! This is exactly what I use when I create new accounts for hardware and VMs. I didn't seem to need it for containers, but I will put it in since you bring it up.

@jeremy-chua
Copy link

Thanks for this.
By the way, since, its a nonroot user, why add it as sudoers?

@ecardinal
Copy link

Not using the default user (root) isn't necessarily to stop any kind of shenanigans, it's to prevent accidents by forcing the user to deliberately use "sudo". You could still do stupid things, but then it's really your fault. 😃

Also, the setup makes it very easy to comment out or delete the sudo setup and just leave "morty" as a regular user.
For anyone interested:

The nature of docker is somewhat natively insecure if you know what you're doing. There are better container runners that don't suffer from these issues; look into "nestybox/sysbox" on GitHub for an interesting more secure setup. Also, google "rootless containers", as new solutions are coming up all the time.

@e-ruiz
Copy link

e-ruiz commented Apr 28, 2022

Just for reference, official Alpine docs.
📖 https://wiki.alpinelinux.org/wiki/Setting_up_a_new_user#Options

😃

@yolave
Copy link

yolave commented Oct 26, 2022

This is working for me:

# add new user
RUN adduser -D $USER \
        && mkdir -p /etc/sudoers.d \
        && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
        && chmod 0440 /etc/sudoers.d/$USER

This did the work for me. Thanks @workpebojot

@Anr-C
Copy link

Anr-C commented Aug 2, 2024

Thanks 😃

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment