Work in progress
A collection of Docker samples running with unprivileged users.
By default, processes in Docker containers run as the root user. The running application having root access inside the container translates to root access on the host itself. Either through a bug, a vulnerability in the application, a vulnerability in another container on the same host, or deliberately, running as root increases the risk to your applications and infrastructure. Attackers can run undesirable or malicious processes and use it as a starting point for scanning your systems, injecting code, or attacking your infrastructure through lateral movement.
The risk can be reduced by having your processes in the container run as a non-root user. This follows the principle of least privilege and is considered a security best practice.
This repository is a collection of few samples, based on official images, and aims to show how to run the application as an unprivileged user.
NodeJS sample
Nginx sample
ASP.NET Core sample
// TODO
Java
Postgres
MSSQL
PHP
Python
Not to be confused with rootless mode. The Docker daemon itself runs as a root user, and it is possible to install, configure and run that daemon as a non-root user. The advantage here is that it takes care of both the docker daemon as well as the container runtime. But take note of the current limitations with this.