non-root / unprivileged docker image

[candrews]

Describe the bug

It's a nice practice for security reasons to have docker images use a non-root user.

For example, nginx publishes nginxinc/nginx-unprivileged (which uses the non-root user nginx) and nginx which uses root.

Ideally, the non-root / unprivileged Dockerfile may be as simple as:

FROM clamav/clamav:0.105.1
USER clamav

and those images would be published alongside the existing (root user using) images with a suffix, for example, there would be:

• latest
• latest-unprivileged
• 0.105.1
• 0.105.1-unprivileged
  etc

How to reproduce the problem

Run a docker image, for example, docker run -it --entrypoint /bin/sh clamav/clamav, and note that the user is root.

It would be nice if one could run docker run -it --entrypoint /bin/sh clamav/clamav:latest-unprivileged and see that a non-root user is used.

[candrews]

#666 would be required for this issue

[val-ms]

@candrews I believe this issue is a duplicate of #478
Is that correct?

[candrews]

@candrews I believe this issue is a duplicate of #478 Is that correct?

I wasn't aware of #478, thank you for pointing it out. I've added a comment: #478 (comment)

I think it's very important for both root and non-root images to be published, which I've stated in this issue, whereas the current description of #478 seems to indicate that only non-root images would be published going forward (which would be a major problem for me and IMHO a major break in backwards compatibility).

[val-ms]

Closing this one to continue discussion in #478 and I will update the title and make a comment along those lines.