USER command in dockerfile has superpowers?!

Hello, I’m just curious about this.

Why is it, that this little dockerfile creates a user dnscrypt and group of its own, without any root privileges?
How is this possible if user dnscrypt had never been created via adduser & addgroup etc?

FROM alpine:edge

RUN apk add --update --no-cache

USER dnscrypt

CMD /usr/bin/dnscrypt-proxy

The documentation says that USER in dockerfile switches to a user that needs to be created first, with adduser or similar commands.

If none is created or without a group, as per the doc, USER will create a user that is assigned to group root, so it has full root privileges anyways.

I want a non-root user, but don’t understand why the above works.


Looks like the package installation creates the user.

You can test it yourself rather simply:

  • start an alpine container: docker run -ti --rm alpine:edge
  • check if the user exists (inside the container): id dnscrypt
  • install dnscryp-proxy (inside the container): apk add --update --no-cache dnscrypt-proxy=2.1.4-r1
  • check again if the user exists (inside the container): id dnscrypt

I expect an error with the first id dnscrypt command, and none with the second.

1 Like

Hey man, thanks for the reply. You’re right, I finally found something on stackoverflow. apk add --update automatically creates a user and group, if root is not required to run the application and no other user or group is found.

So this only works with alpine out of the box I believe. APT certainly does not do it.

I am afraid this is rather depending on the choice made by a package maintainer, than something that is generally true for a specific package manager.

On Ubuntu 22.04 the automatically created username is _dnscrypt-proxy. These usernames has nothing to do with the USER instruction in the Dockerfile, you just picked the right username to switch to. Package managers inside the container doesn’t see instructions from the Dockerfile except environment variables and build arguments (in build time)

1 Like

Yeah, Metin was right (of course) it’s the package itself that creates the user and group (without the user’s consent). So this behavior will vary from package to package.