Can you start a process inside a Docker container as root, while having the default user of an exec call be non-root?

Question

I'm basically trying to run crond -f as root, while having the default user be something different.

Since the crontabs it runs use sensitive information from other files on the image, I want to give root access to these files, start the crond process, then switch the user to a newly created one. This way the cronjobs will be able to get the information they need, while securing the sensitive files in the container from anyone who may get exec access.

have tried a couple things like this:

USER root

CMD ["./runCrons.sh"]

USER newuser

But this does not run the crond process as root, but as newuser.

If anyone has a solution it would save me some digging and experimentation.

Answer 1

While building the Docker image, create a user which belongs to sudo group and is allowed to run all sudo commands without a password.

Consider the below example which creates a docker image called test with user named myuser with sudo pass:

$ cat Dockerfile

FROM debian:latest
ENV user_name myuser
RUN apt-get update
RUN apt-get install -y sudo
RUN useradd --create-home -s /bin/bash ${user_name}
RUN echo "${user_name} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${user_name}
WORKDIR /home/${user_name}
USER ${user_name}
CMD /bin/bash

Then build the image:

docker build -t test .

Now to fix cron permissions issues for standard user, make sure all commands used on cron scripts start with sudo, like below.

CMD ["sudo ./runCrons.sh"]

Since no password is expected when using sudo, everything should execute fine and you should be good to go.