Created
September 25, 2018 19:02
-
-
Save avishayp/33fcee06ee440524d21600e2e817b6b7 to your computer and use it in GitHub Desktop.
Add non-root user for alpine linux
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# non root user example for alpine | |
# | |
# usage: | |
# $ docker build --build-arg "USER=someuser" --tag test . | |
# $ docker run --rm test | |
FROM alpine | |
ARG USER=default | |
ENV HOME /home/$USER | |
# install sudo as root | |
RUN apk add --update sudo | |
# add new user | |
RUN adduser -D $USER \ | |
&& echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \ | |
&& chmod 0440 /etc/sudoers.d/$USER | |
USER $USER | |
WORKDIR $HOME | |
# files in /home/$USER to be owned by $USER | |
# docker has --chown flag for COPY, but it does not expand ENV so we fallback to: | |
# COPY src src | |
# RUN sudo chown -R $USER:$USER $HOME | |
CMD echo "User $(whoami) running from $PWD with premissions: $(sudo -l)" |
Just for reference, official Alpine docs.
📖 https://wiki.alpinelinux.org/wiki/Setting_up_a_new_user#Options
😃
This is working for me:
# add new user RUN adduser -D $USER \ && mkdir -p /etc/sudoers.d \ && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \ && chmod 0440 /etc/sudoers.d/$USER
This did the work for me. Thanks @workpebojot
Thanks 😃
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Not using the default user (root) isn't necessarily to stop any kind of shenanigans, it's to prevent accidents by forcing the user to deliberately use "sudo". You could still do stupid things, but then it's really your fault. 😃
Also, the setup makes it very easy to comment out or delete the sudo setup and just leave "morty" as a regular user.
For anyone interested:
The nature of docker is somewhat natively insecure if you know what you're doing. There are better container runners that don't suffer from these issues; look into "nestybox/sysbox" on GitHub for an interesting more secure setup. Also, google "rootless containers", as new solutions are coming up all the time.