4.1 Create a user for the container

Information

Create a non-root user for the container in the Dockerfile for the container image.

Rationale:

It is a good practice to run the container as a non-root user, if possible. Though user namespace mapping is now available, if a user is already defined in the container image, the container is run as that user by default and specific user namespace remapping is not required.

Solution

Ensure that the Dockerfile for the container image contains below instruction:

USER <username or ID>

where username or ID refers to the user that could be found in the container base image. If there is no specific user created in the container base image, then add a useradd command to add the specific user before USER instruction.

For example, add the below lines in the Dockerfile to create a user in the container:

RUNuseradd -d /home/username -m -s /bin/bash username

USER username



Note: If there are users in the image that the containers do not need, consider deleting them. After deleting those users, commit the image and then generate new instances of containers for use.

Impact:

None.

Default Value:

By default, the containers are run with root privileges and as user root inside the container.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: 2054c4c26f639f50b3e03a01d6255589277ab2ff12f2278551cb90b21ec399e4