DEV Community

Cover image for Using sudo without password prompt as non-root docker user
Emmanuel K
Emmanuel K

Posted on

Using sudo without password prompt as non-root docker user

Follow me on twitter: emmanuelnk

WARNING: This is generally considered NOT SECURE and thus do not use the methods in this article in a production container.

I have a particular use case that justifies this usage. Now you can read on.

Recently I wrote a pure bash menu program that has install scripts for various Ubuntu software I use. This is to allow me to reproduce my dev environment as fast as possible on a new Ubuntu installation.

I want to release this program as an open source tool and for that reason it needs testing and CI. Docker is perfect for this. Except for one thing. Most docker images use user root to execute commands. This is fine for most intent and purposes. But to appropriately test my program, I would need to be a non-root user inside the docker container.

Changing the root user

This is trivial and actually quite common in Dockerfiles. By default, most docker images, including ubuntu:latest have USER set to root. This can be changed by creating a new user in a Dockerfile by:

RUN useradd -ms /bin/bash newuser
# where
# -m -> Create the user's home directory
# -s /bin/bash -> Set as the user's 
# default shell
USER newuser
Enter fullscreen mode Exit fullscreen mode

This will create a newuser without root privileges to run commands in the container.
NB: You can add && echo 'pa55w0rd' | chpasswd right after the useradd to set a password.

For my use case, I need the password disabled and I need to NOT be prompted for a password when using sudo command. Now you may be asking, why would someone want to do this?

Well if you're using docker in CI and need to test certain commands being run as a regular user then this is the way. For example, on my machine, I am the USER=emmanuel. I don't have root privileges and when I need to install something, I do sudo apt-get install and enter my password to give me su access.

For my project, I'm trying to test install scripts as a regular user and thus these scripts use sudo and variables such as $HOME a lot ($HOME for root is /root). Hence using the default that most docker images have, programs would not install in the correct locations or not install correctly at all. This is not good.

Anyway, enought talking. This is what my Dockerfile looks like to accomplish this. Explanations in the comments.

# Get latest official Ubuntu image
FROM ubuntu

# ubuntu:latest does not have sudo
# fetch it and install it
RUN apt-get update && apt-get install -y sudo

# Create new user `docker` and disable 
# password and gecos for later
# --gecos explained well here:
# https://askubuntu.com/a/1195288/635348
RUN adduser --disabled-password \
--gecos '' docker

#  Add new user docker to sudo group
RUN adduser docker sudo

# Ensure sudo group users are not 
# asked for a password when using 
# sudo command by ammending sudoers file
RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> \
/etc/sudoers

# now we can set USER to the 
# user we just created
USER docker

# we can now run sudo commands 
# as non-root user `docker` without
# password prompt
RUN sudo apt-get update 

WORKDIR /home/docker/src

COPY . .
Enter fullscreen mode Exit fullscreen mode

That's it. Thanks!

If you have suggestions, improvements or want to correct me, let me know in the comments!

If this helped you out, follow me on twitter: emmanuelnk

Top comments (2)

Collapse
 
kalvaro profile image
Álvaro González

To my understanding, %sudo ALL=(ALL) NOPASSWD:ALL grants newuser (and any other user eventually added to the sudo group) permission to execute absolutely any command without being asked for password. I'd rather do something like:

%docker ALL=(ALL) NOPASSWD:/usr/bin/dockerd
Enter fullscreen mode Exit fullscreen mode
Collapse
 
legorock profile image
Ahmet Erdem

The password setting was not successful. I had to use && echo 'newuser:pa55w0rd' | chpasswd instead.