Skip to main content

Using a non-root user

Let's get back to the youtube-dl application, that we for last time worked with it Part 2.

The application could, in theory, escape the container due to a bug in Docker or Linux kernel. To mitigate this security issue we will add a non-root user to our container and run our process with that user. Another option would be to map the root user to a high, non-existing user id on the host with https://docs.docker.com/engine/security/userns-remap/, and can be used in case you must use root within the container.

The Dockerfile that we did in Part 1 was this:

FROM ubuntu:18.04

WORKDIR /mydir

RUN apt-get update
RUN apt-get install -y curl python
RUN curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
RUN chmod a+x /usr/local/bin/youtube-dl

ENV LC_ALL=C.UTF-8

ENTRYPOINT ["/usr/local/bin/youtube-dl"]

We will add an user called appuser with the following command

RUN useradd -m appuser

After that we change the user with the directive USER - so all commands after this line will be executed as our new user, including the CMD and ENTRYPOINT.

FROM ubuntu:18.04

WORKDIR /usr/videos

ENV LC_ALL=C.UTF-8

RUN apt-get update
RUN apt-get install -y curl python
RUN curl -L https://yt-dl.org/downloads/latest/youtube-dl -o /usr/local/bin/youtube-dl
RUN chmod a+x /usr/local/bin/youtube-dl
RUN useradd -m appuser

USER appuser

ENTRYPOINT ["/usr/local/bin/youtube-dl"]

The WORKDIR is renamed to /usr/videos since it makes more sense as the videos will be downloaded there. When we run this image without bind mounting our local directory:

$ docker container run youtube-dl https://imgur.com/JY5tHqr

  [Imgur] JY5tHqr: Downloading webpage
  [download] Destination: Imgur-JY5tHqr.mp4
  [download] 100% of 190.20KiB in 00:0044MiB/s ETA 00:000
  ERROR: unable to open for writing: [Errno 13] Permission denied: 'Imgur-JY5tHqr.mp4.part'

We'll see that our appuser user can not write to /usr/videos - this can be fixed with chown or not fix it at all, if the intented usage is to always have a /usr/videos mounted from the host. By mounting the directory the application works as intended.

If we want to give the appuser permission to write inside the container, the permission change must be done when we are still executing as root, that is, before the directive USER is used to change the user:

FROM ubuntu:18.04

# ...

# create the appuser
RUN useradd -m appuser

# change the owner of current dir to appuser
RUN chown appuser .

# now we can change the user
USER appuser

ENTRYPOINT ["/usr/local/bin/youtube-dl"]

Exercise 3.5

Mandatory Exercise 3.5

In exercises 1.12 and 1.13 we created Dockerfiles for both example frontend and backend.

Security issues with the user being a root are serious for the example frontend and backend as the containers for web services are supposed to be accessible through the Internet.

Make sure the containers start their processes as a non-root user.

Backend image is based on Alpine Linux, that does not support the command useradd. Google will surely help you a way to create user in an alpine based image.

Submit the Dockerfiles.