Skip to content

Disable root

  • Dockerfile
Docker
FROM debian:latest

RUN apt-get update && apt-get install -y sudo
# Create a non-root user
RUN useradd -m -s /bin/bash appuser \
    && mkdir -p /app \
    && chown -R appuser:appuser /app \
    && usermod -aG sudo appuser

RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Set user explicitly
USER appuser

# Disable root access inside the container
RUN sudo chmod 000 /etc/passwd /etc/shadow 
#    && sudo apt-get remove -y sudo

WORKDIR /app

CMD sleep 999999
#CMD ["bash"]
  • Different example
Docker
FROM debian:latest

# Install sudo
RUN apt-get update && apt-get install -y sudo && rm -rf /var/lib/apt/lists/*

# Create a non-root user
RUN useradd -m -s /bin/bash appuser \
    && mkdir -p /app \
    && chown -R appuser:appuser /app

# Remove root access from the user
RUN echo "appuser ALL=(ALL) !ALL" > /etc/sudoers.d/appuser

# Set user explicitly
USER appuser

WORKDIR /app

CMD sleep 99999
#CMD ["bash"]
  • docker cli
Bash
docker run --security-opt no-new-privileges --cap-drop=ALL myimage
  • docker-compose.yml
YAML
services:
  secure-app:
    build: .
    container_name: secure-container
    security_opt:
      - no-new-privileges
    cap_drop:
      - ALL
    read_only: true  # Makes filesystem read-only (except /tmp)
    tmpfs:
      - /tmp  # Allow temporary writes
    restart: unless-stopped