Change root password - docker image

Your users need root access to their systems; and if they have some non-root method to access Docker, like the docker group in Ubuntu, it’s one step away from root.

docker run --rm -v /:/host ubuntu:16.04 cat /host/etc/shadow
docker run --rm -v /:/host ubuntu:16.04 sh -c "echo $USER ALL=(ALL) NOPASSWD: ALL >>/host/etc/sudoers'

Also, “debug” mechanisms like docker exec jump directly into a root shell in the container and ignore any password setup you might happen to have in the container.

As I said above, nothing stops you from RUN echo foo | passwd root in a Dockerfile (visible in docker history), or COPY shadow /etc (still vulnerable to offline attacks) to “set a root password in the container”, but it’s all but impossible to make that an effective security measure.