Root user when service already has a dedicated user

General
1

I’m using this image https://github.com/Unicon/shibboleth-sp-dockerized which has Apache and Shibboleth (a SAML authentication module for Apache)

The container runs as root to start the two services an each service has it’s own user httpd and shibd.

If I do a ps -aux inside the container this can be confirmed.

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  1.4  0.8 277108 18308 ?        Ss   12:02   0:00 httpd -DFOREGROUND
shibd       25  0.5  1.2 512608 24964 ?        Ssl  12:02   0:00 /usr/sbin/shibd -p /var/run/shibboleth/shibd.pid -f -w 30
apache      32  0.5  0.8 428332 16872 ?        Sl   12:02   0:00 httpd -DFOREGROUND
apache      33  0.4  0.8 428332 16872 ?        Sl   12:02   0:00 httpd -DFOREGROUND
apache      35  0.4  0.8 428332 16872 ?        Sl   12:02   0:00 httpd -DFOREGROUND
apache      36  0.5  0.8 428332 16872 ?        Sl   12:02   0:00 httpd -DFOREGROUND
apache      37  0.5  0.8 428332 16872 ?        Sl   12:02   0:00 httpd -DFOREGROUND

I need to dynamically modify configuration files per environment at runtime so the start of services is the last command in a bash script.

Now the question… I always run containers without ROOT as the last user. In this case I don’t see an easy way of doing that, specially as Shibboleth runs as a daemon an a regular user can’t do that.

Is that approach secure? each service runs with a non-root user but the container entry point is not.