Control: 4.1 Ensure that a user for the container has been created

Description

Containers should run as a non-root user.

It is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through gosu or similar where used as part of the CMD or ENTRYPOINT directives.

Remediation

You should ensure that the Dockerfile for each container image contains the information below:

USER <username or ID>

In this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the useradd command to add a specific user before the USER instruction in the Dockerfile. For example, add the below lines in the Dockerfile to create a user in the container:

RUN useradd -d /home/username -m -s /bin/bash username
USER username

Note: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers.

Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.

Default Value

By default, containers are run with root privileges and also run as the root user inside the container.