How to set UID in distroless / rootless Docker image

[gene1wood]

I've been reading about distroless and the use of the nonroot user which hard codes the UID of the process runner to 65532

Since homebox needs persistent storage, recommended in the homebox docs as a volume mapping to the /data directory, the resulting files will be owned on the host running the docker container as UID 65532.

Wouldn't this mean that all of the files on the host system for any docker containers using distroless would have files owned by the same UID? Wouldn't this mean that a container escape or something would put the files for the various docker containers using distroless in the same security domain and an attacker who could operate as 65532 on the host could access the files from some other container?

I ask because I'm used to how it's done, for example, in linuxserver.io docker images where you use a distinct UID on the host for each container so that each containers volume mapped files on the host are owned by a user dedicated to that container.

Is there a way in distroless that I'm not seeing to be able to set the UID used so that the data on the host isn't owned by 65532 but instead owned by a UID dedicated to homebox?

This may be something @Sudneo would have some insight on.

[hay-kot]

This is not yet implemented, see for tracking

• Be able to set UID and GID in Docker rootless image #607 (comment)

[Sudneo]

Hello everyone. I think this is only partially a problem, I will elaborate my perspective (never been a big fan of linuxserver images!), but of course different people have different preferences!

First of all, it is absolutely correct: if you run multiple distroless images with default UID, the underlying data would be owned by the same UID outside the containers, which means that in case of an escape, an attacker would be able to compromise data for multiple applications.
That said, escaping a distroless image (specifically this uses static) is not impossible, but extremely hard and unlikely. There is not a single binary besides homebox application, so only this could be used to have primitives for write and read in the hope to escape the container (we can't exclude vulnerabilities that allow for that to exist, so of course this is not impossible).

Moreover, I believe both docker, docker-compose and kubernetes support specifying the UID natively.
For example:

$ mkdir /tmp/test && chown 9999:9999 /tmp/test
$ docker run -u 9999:9999 -v /tmp/test:/data ghcr.io/hay-kot/homebox:latest-rootless
$ ls /tmp/test 
.rw-r--r-- 193k 9999 14 Feb 22:05 homebox.db

In Kubernetes the same can be achieved using the securityContext.runAsUser directive, I think, and in compose using the user directive.

I believe this last point might address your question:

Is there a way in distroless that I'm not seeing to be able to set the UID used so that the data on the host isn't owned by 65532 but instead owned by a UID dedicated to homebox?

[gene1wood]

@Sudneo Excellent, yes, that's exactly what I was looking for. Looking in the distroless repo I couldn't tell how the docker --user argument would enable setting the UID, but your simple test shows that it works just fine.

The linuxserver.io approach to enabling configuration of the UID/GID comes from before Docker Engine 1.7 back in 2015.

I think that's a fine solution, I'll do that.