OWASP Docker Top 10: Secure User Mapping

TL;DR: Never run Docker containers as root. Always map container users to non-root host users to prevent privilege escalation attacks.

🔍 Why User Mapping Matters

By default, Docker containers run processes as root (UID 0). If an attacker compromises the container, they gain root access to the container filesystem. Without proper user mapping, this can escalate to host-level access.

⚠️ The Core Problem

When a container runs as root and writes files to a mounted volume, those files are owned by root on the host system. This breaks the principle of least privilege and creates a serious security gap.

🛡️ How to Prevent It

# ✅ Dockerfile best practice
FROM node:18-alpine

# Create non-root user
RUN addgroup -g 1001 appgroup && \
    adduser -u 1001 -G appgroup -S appuser

# Switch to non-root user
USER appuser

# Set working directory
WORKDIR /home/appuser/app
                

🔧 Additional Security Controls

• Drop unnecessary Linux capabilities: --cap-drop=ALL
• Enable read-only root filesystem: --read-only
• Use minimal base images (alpine, distroless)
• Scan images with Trivy or Docker Scout
• Run containers with --userns-remap for user namespace isolation

🎯 Key Takeaways

• ✅ Always run containers as non-root users
• ✅ Map container UIDs to restricted host UIDs
• ✅ Test security configs in staging before production
• ✅ Document your container security policies