4.1 Create a user for the container

Information

Create a non-root user for the container in the Dockerfile for the container image. Also, run
the container with non-root user.

Currently, mapping the container's root user to a non-root user on the host is not
supported by Docker. The support for user namespace would be provided in future
releases (probably in 1.6). This creates a serious user isolation issue. It is thus highly
recommended to ensure that there is a non-root user created for the container and the
container is run using that user.

Solution

Ensure that the Dockerfile for the container image contains below instruction-USER <username or ID>
where username or ID refers to the user that could be found in the container base image. If
there is no specific user created in the container base image, then add a useradd command
to add the specific user before USER instruction.For example, add the below lines in the Dockerfile to create a user in the container-RUN useradd -d /home/username -m -s /bin/bash username
USER usernameWhen you run the container, use the '-u' flag to specify that you would want to run the
container as a specific user and not root. This can be done by executing below command-$> docker run -u <Username or ID> <Run args> <Container Image Name or ID>
<Command>For example,$> docker run -u 1000 -i -t centos /bin/bashThis would ensure that the above container is run with user ID 1000 and not root.Note- If there are users in the image that the containers do not need, consider deleting
them. After deleting those users, commit the image and then generate new instances of
containers for use.

Impact-None.

Default Value-By default, the containers are run with root privileges and as user root inside the
container.

See Also

https://workbench.cisecurity.org/files/514