-
-
Save avishayp/33fcee06ee440524d21600e2e817b6b7 to your computer and use it in GitHub Desktop.
# non root user example for alpine | |
# | |
# usage: | |
# $ docker build --build-arg "USER=someuser" --tag test . | |
# $ docker run --rm test | |
FROM alpine | |
ARG USER=default | |
ENV HOME /home/$USER | |
# install sudo as root | |
RUN apk add --update sudo | |
# add new user | |
RUN adduser -D $USER \ | |
&& echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \ | |
&& chmod 0440 /etc/sudoers.d/$USER | |
USER $USER | |
WORKDIR $HOME | |
# files in /home/$USER to be owned by $USER | |
# docker has --chown flag for COPY, but it does not expand ENV so we fallback to: | |
# COPY src src | |
# RUN sudo chown -R $USER:$USER $HOME | |
CMD echo "User $(whoami) running from $PWD with premissions: $(sudo -l)" |
What's the point here in making non root user but still giving him ability to become without password?
suraku - This technique is for accidental mistake mitigation, not security. Running as root in a container is potentially dangerous, so (for the same reason you give any user passwordless sudo) you don't need to externally share a password with every user that runs the image.
Doesn't work anymore
#8 2.695 /bin/sh: can't create /etc/sudoers.d/default: nonexistent directory
This is working for me:
# add new user
RUN adduser -D $USER \
&& mkdir -p /etc/sudoers.d \
&& echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \
&& chmod 0440 /etc/sudoers.d/$USER
@workpebojot -- Thanks for the feedback! This is exactly what I use when I create new accounts for hardware and VMs. I didn't seem to need it for containers, but I will put it in since you bring it up.
Thanks for this.
By the way, since, its a nonroot user, why add it as sudoers?
Not using the default user (root) isn't necessarily to stop any kind of shenanigans, it's to prevent accidents by forcing the user to deliberately use "sudo". You could still do stupid things, but then it's really your fault. 😃
Also, the setup makes it very easy to comment out or delete the sudo setup and just leave "morty" as a regular user.
For anyone interested:
The nature of docker is somewhat natively insecure if you know what you're doing. There are better container runners that don't suffer from these issues; look into "nestybox/sysbox" on GitHub for an interesting more secure setup. Also, google "rootless containers", as new solutions are coming up all the time.
Just for reference, official Alpine docs.
📖 https://wiki.alpinelinux.org/wiki/Setting_up_a_new_user#Options
😃
This is working for me:
# add new user RUN adduser -D $USER \ && mkdir -p /etc/sudoers.d \ && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \ && chmod 0440 /etc/sudoers.d/$USER
This did the work for me. Thanks @workpebojot
Thanks 😃
Excellent: brief, to the point, very useful!