Disable root
FROM debian:latest
RUN apt-get update && apt-get install -y sudo
# Create a non-root user
RUN useradd -m -s /bin/bash appuser \
&& mkdir -p /app \
&& chown -R appuser:appuser /app \
&& usermod -aG sudo appuser
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
# Set user explicitly
USER appuser
# Disable root access inside the container
RUN sudo chmod 000 /etc/passwd /etc/shadow
# && sudo apt-get remove -y sudo
WORKDIR /app
CMD sleep 999999
#CMD ["bash"]
FROM debian:latest
# Install sudo
RUN apt-get update && apt-get install -y sudo && rm -rf /var/lib/apt/lists/*
# Create a non-root user
RUN useradd -m -s /bin/bash appuser \
&& mkdir -p /app \
&& chown -R appuser:appuser /app
# Remove root access from the user
RUN echo "appuser ALL=(ALL) !ALL" > /etc/sudoers.d/appuser
# Set user explicitly
USER appuser
WORKDIR /app
CMD sleep 99999
#CMD ["bash"]
docker run --security-opt no-new-privileges --cap-drop=ALL myimage
services:
secure-app:
build: .
container_name: secure-container
security_opt:
- no-new-privileges
cap_drop:
- ALL
read_only: true # Makes filesystem read-only (except /tmp)
tmpfs:
- /tmp # Allow temporary writes
restart: unless-stopped