Why a Docker container should never run as root!
Most organisations ensure that you need to have sudo access to run the Docker commands on your systems, but even if you're using Kubernetes or OpenShift, or if you have added users to the docker group you run the risk of being compromised.
As a simple demonstration try out the following steps that would expose your /etc/shadow file to a docker container ran by an ordinary user;
1. Make sure your ordinary user is added to the docker group:
sudo usermod -G docker steve
2. If you are logged in as that user you will need to log out and back in for the group to take affect
3. Check the user can run the docker command:
docker ps
You should see the docker ps header and any running containers on that system
4. Now let's cat the /etc/shadow file using a container from Docker Hub:
docker run -it --rm -v /etc:/hack python:3.12 cat /hack/shadow
5. You'll notice that what you will be looking at is your hosts shadow file and not the shadow file in the container since that is in /etc/shadow.
If you're not doing the following to secure your environment then you will be at risk of people being able to crack the root password on your systems.
1. Create and use only your own organisations private Docker registry
2. Block access to docker.io, public.ecr.aws, quay.io, and any other public repositories you know of. Access to these should only be allowed by those who will be building the base container images for your organisations
3. Any base images downloaded from the registries in 2 should be built as new images that run with a specific user ID greater than 1000.
4. If developers need to install software onto containers then this should be performed in the developer environments only, or through CI pipelines which perform the root level installs and then add the user to the end of the build.
Root running containers should only be used where software needs to be installed that the basic user cannot, which is why it is important to have the necessary base images available for developers so that they only need worry about their code and libraries.
