This repository was archived by the owner on Nov 3, 2025. It is now read-only.
Running a rootless containerΒ #434
Description
Is your feature request related to a problem? Please describe.
Any process that might not need to be run as root could be of a potential security risk.
Describe the solution you'd like
Following the principle of least privilege, I would suggest that the container could run as a newly created system user (in the Dockerfile):
RUN groupadd --system sal && useradd --system --shell /bin/false --gid sal sal
RUN chown -R sal:sal /home/app
USER sal
Of course there would still be issues with processes that need privileges to be addressed such as cron, supervisord etc. So the code above would be just a first step.
Describe alternatives you've considered
- Isolating sal into its own VPC
- Overwriting the original sal image with an additional docker layer (very hackish)
Additional context
There are lots of online resources you can find related to the importance of rootless containers.
I really appreciate sal and I know this request can be challenging to implement.
Thanks in advance! :)