Docker container build: Using /root as the work dir is not advised

[samip5]

Hi there,

I was looking at the Dockerfile and noticed that the app root is at /root, I'm not exactly sure why one would think of putting it there, but that seems like not the greatest design decisions, so it should probably be fixed. I'm not sure if that will actually prevent the container from working as non-root.

Please instead move it to eg /app and just create the directory before changing work dir there.

[ananthakumaran]

Could you give more concrete reasons? Note that the docker file is already in use and making random changes would break the existing setup for users. Also, current working directly is irrelevant and all the files get stored under /root/Documents/paisa/.

[samip5]

Could you give more concrete reasons? Note that the docker file is already in use and making random changes would break the existing setup for users. Also, current working directly is irrelevant and all the files get stored under /root/Documents/paisa/.

It's not irrelevant as if one mounts a block device (eg, Kubernetes environment) to said path, it will override app files instead and the permissions on that path are more than likely root:root, which will make it inaccessible to non-root user and thus making the container non-usable if one doesn't want to run it privileged.

[shyamjos]

Running container as a root user is not advised , suppose there is a vulnerability on the web app (eg: remote code execution), in that case the attacker can gain access to container with root user privileges. A less privileged user is always better

[ananthakumaran]

Though the root user inside the docker is not as powerful as the root user, agreeing with the general principle, the root user increases the scope unnecessarily. I will try to spend some time. If there are any other packaged docker app, you can share the link, would reduce the amount of research I need to do.

[samip5]

Though the root user inside the docker is not as powerful as the root user, agreeing with the general principle, the root user increases the scope unnecessarily. I will try to spend some time. If there are any other packaged docker app, you can share the link, would reduce the amount of research I need to do.

There are MANY, that run as non-root. Have a look: https://github.com/onedr0p/containers.

[vishalnandagopal]

For this usecase, a simple

RUN ["useradd","--create-home","paisa-user"]

USER paisa-user

should suffice right @samip5 ? Or whatever the equivalent command is for alpine. And then changing workdir to /home/paisa-user/ ?

[samip5]

For this usecase, a simple

RUN ["useradd","--create-home","paisa-user"]

USER paisa-user

should suffice right @samip5 ? Or whatever the equivalent command is for alpine. And then changing workdir to /home/paisa-user/ ?

I would recommend to also change the resulting workdir where the app is run from to not use /root. Examples where it could be include /app, /usr/local/app but not limited to those and also if you do create the home for the user, then the workdir should also use /home/paisa-user in your example.