Set password for container when use docker exec

hieunv0871 · July 7, 2024, 12:10pm

FROM nginx
ARG EXEC_PASSWORD

RUN apt-get update && apt-get install -y passwd \
    && useradd -ms /bin/bash testuser \
    && echo "testuser:${EXEC_PASSWORD}" | chpasswd

USER testuser
COPY html /usr/share/nginx/html

i want when anyone who pull my image and run container, if want use docker exec must typing password

meyay · July 7, 2024, 1:37pm

That is not how (OCI/docker) containers work. Containers “virtualize” on process level. Docker exec starts an arbitrary process. It is not a full OS with a login dialog.

If this is a hard requirement, then you will need to look for another technology like LXC, which runs os-level containers, or use a good old vm.

hieunv0871 · July 7, 2024, 2:46pm

oh, So I can’t do that or shouldn’t,
Because I want to block users with insufficient permissions from accessing some commands of my application.
Tks @meyay

rimelek · July 7, 2024, 4:31pm

You can’t do it as you would expect it. In fact, LXC has an lxc exec and lxc shell command as well which works the same way, so you don’t need to use a password. But since it runs a full OS, it is easier to configure SSH connection which is possible in a Docker container as well, but usualy not recommended. We run a single or just a few processes in the container.

On the other hand, you can manage who have access to the Docker socket and when you execute a command, that command has to go through the API. If you have something that intercepts API calls, you can restrict what can be executed. I’m not sure what happens when you run a bash shell and run other commands in the shell though. What I’m sure you could do is deny using the exec subcommand for the users which they shouldn’t use anyway unless they are debugging.

hieunv0871 · July 8, 2024, 1:21am

@rimelek sorry because we have different timezone, so i response you late.

“What I’m sure you could do is deny using the exec subcommand for the users which they shouldn’t use anyway unless they are debugging”

Can this be done in docker images or does it have to be configured in the application I use? Can I add an option to the dockerfile to block the application’s alias with name is cli of app?

meyay · July 8, 2024, 5:45am

@rimelek wrote about an authz plugin for the docker engine itself. It allows settings policies for resources on the docker api.

This has nothing to do with your image, or a container created from it. It would only apply to your docker host, If you manage to create a policy that only allows to use the login command with exec the user indeed would need to actually log in.

Topic		Replies	Views
In the Docker container, we need to be able to exec into it and view the application code and Dockerfile, but I want to set up a password for the users to restrict access General docker	1	145	September 18, 2024
When I execute docker run command or docker exec command, it doesnt ask for any password. Is there any way to ensure that when we enter docker exec or run command, it always asks for the password? General	0	1051	September 30, 2020
Prohibit access to the inside of the container General docker	2	5149	June 13, 2022
How to Restrict docker exec and docker cp Commands for Python-Based Containers General security	3	310	January 8, 2025
How to set user/command restrictions on docker container General	2	4810	April 1, 2018

Set password for container when use docker exec

Related topics