Container Security Language
5 exercises — Master the English vocabulary of container hardening: non-root users, Linux capabilities, CVE scanning, seccomp, and read-only filesystems.
0 / 5 completed
1 / 5
A security audit finding reads: "Container web-api runs as root (UID 0). This violates our container hardening policy. Update the Dockerfile to switch to a non-root user before the entrypoint."
Why is running a container process as root (UID 0) a security risk?
Root-in-container amplifies the blast radius of any application vulnerability.
Running as root inside a container is risky because:
1. If the application is compromised, the attacker has unlimited filesystem and process permissions within the container
2. Some escape vulnerabilities (e.g., runc CVE-2019-5736) are more dangerous when the attacker-controlled process is already root
3. Volume-mounted host paths are accessible with full root permissions
4. In privileged mode or with shared namespaces, container root effectively becomes host root
The fix: add
Key vocabulary:
• UID 0 — root user; has unrestricted permissions within the container's filesystem and namespace
• USER instruction — Dockerfile instruction that sets the running user for subsequent RUN, CMD, and ENTRYPOINT
• privilege escalation — gaining higher permissions than initially granted (e.g., container root → host root)
• defence-in-depth — layered security so a single failure doesn't lead to full system compromise
• non-root user — a container user with UID > 0 and no elevated kernel privileges
Running as root inside a container is risky because:
1. If the application is compromised, the attacker has unlimited filesystem and process permissions within the container
2. Some escape vulnerabilities (e.g., runc CVE-2019-5736) are more dangerous when the attacker-controlled process is already root
3. Volume-mounted host paths are accessible with full root permissions
4. In privileged mode or with shared namespaces, container root effectively becomes host root
The fix: add
RUN adduser --disabled-password --uid 1000 appuser and USER appuser before the ENTRYPOINT. For port 80/443, use CAP_NET_BIND_SERVICE or a reverse proxy instead of running as root.Key vocabulary:
• UID 0 — root user; has unrestricted permissions within the container's filesystem and namespace
• USER instruction — Dockerfile instruction that sets the running user for subsequent RUN, CMD, and ENTRYPOINT
• privilege escalation — gaining higher permissions than initially granted (e.g., container root → host root)
• defence-in-depth — layered security so a single failure doesn't lead to full system compromise
• non-root user — a container user with UID > 0 and no elevated kernel privileges