{"id":16101520,"url":"https://github.com/mendhak/docker-unprivileged","last_synced_at":"2026-05-09T00:07:32.738Z","repository":{"id":141194628,"uuid":"403762584","full_name":"mendhak/docker-unprivileged","owner":"mendhak","description":"WIP: Collection of unprivileged Docker samples for different languages and tools","archived":false,"fork":false,"pushed_at":"2021-09-12T21:46:27.000Z","size":33,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-06T00:27:48.185Z","etag":null,"topics":["aspnetcore","docker","nginx","nodejs","samples","unprivileged-user"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mendhak.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-06T21:27:26.000Z","updated_at":"2023-09-08T18:26:16.000Z","dependencies_parsed_at":null,"dependency_job_id":"d9c2a8b3-79a6-4848-9fbd-4613ec94d5b6","html_url":"https://github.com/mendhak/docker-unprivileged","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mendhak/docker-unprivileged","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fdocker-unprivileged","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fdocker-unprivileged/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fdocker-unprivileged/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fdocker-unprivileged/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mendhak","download_url":"https://codeload.github.com/mendhak/docker-unprivileged/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mendhak%2Fdocker-unprivileged/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32802548,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"ssl_error","status_checked_at":"2026-05-08T08:22:45.650Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aspnetcore","docker","nginx","nodejs","samples","unprivileged-user"],"created_at":"2024-10-09T18:50:11.752Z","updated_at":"2026-05-09T00:07:32.723Z","avatar_url":"https://github.com/mendhak.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Unprivileged Docker Samples\n\n_Work in progress_\n\nA collection of Docker samples running with unprivileged users.  \n\n## Background\n\nBy default, processes in Docker containers run as the root user.  The running application having root access inside the container translates to root access on the host itself.  Either through a bug, a vulnerability in the application, a vulnerability in another container on the same host, or deliberately, running as root increases the risk to your applications and infrastructure.  Attackers can run undesirable or malicious processes and use it as a starting point for scanning your systems, injecting code, or attacking your infrastructure through [lateral movement](https://www.crowdstrike.com/cybersecurity-101/lateral-movement/).  \n\nThe risk can be reduced by having your processes in the container run as a non-root user.  This follows the [principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege) and is considered a [security best practice](https://snyk.io/blog/10-docker-image-security-best-practices/).      \n\nThis repository is a collection of few samples, based on official images, and aims to show how to run the application as an unprivileged user.  \n\n## Samples  \n\n[NodeJS sample](samples/nodejs/)  \n[Nginx sample](samples/nginx/)  \n[ASP.NET Core sample](samples/dotnet/)  \n\n// TODO  \nJava  \nPostgres  \nMSSQL  \nPHP  \nPython  \n\n\n## Other notes\n\nNot to be confused with [rootless mode](https://docs.docker.com/engine/security/rootless/).  The Docker _daemon_ itself runs as a root user, and it is possible to install, configure and run that daemon as a non-root user.  The advantage here is that it takes care of both the docker daemon as well as the container runtime.  But take note of the current limitations with this.  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmendhak%2Fdocker-unprivileged","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmendhak%2Fdocker-unprivileged","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmendhak%2Fdocker-unprivileged/lists"}