Docker: running as non-root user

Hello,

I would like to run the certbot docker image as another user than root, but we have file permissions problem:

/var/lib/letsencrypt

I can map those folder to a writable location, but I wonder if we could give a+rwx access to those folder in the docker file.

That would mean to add a new line here: Dockerfile#L49

RUN chmod a+rwx /var/lib/letsencrypt /var/log/letsencrypt

I can make a PR if this is a good idea.

On a security level, I see nothing against that...

Good idea or not?

1 Like

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

Let me consult the source.

@bmw

What are your thoughts here?

1 Like

Thanks, and thanks for your quick reply (sorry, I am too much task oriented)

If we add the lines there, you can run

docker run --user 1000:1000 blablabla

and all the files would be owned by 1000:1000.

My plan is to give access to the files to my operators without the need to sudo, so the idea to run the docker with another user than root.

2 Likes

If you don't get a reply from a Certbot dev here you might try the Certbot channel on EFF's Mattermost. That's what they recommend before submitting a PR

4 Likes

That is the equivalent of setting 777, which would make the Private and Account keys globally readable to all users.

That should be doable with group permissions.
You can also use the --config directive to use a single install for multiple users (each having their own config).

Is there a reason for running Certbot as a non-root user? Other ACME clients may be better for non-root use cases, but all clients generally require root permissions (or a root to configuring routing) for the HTTP-01 challenges.

3 Likes

Thanks for all your advices.

That is the equivalent of setting 777, which would make the Private and Account keys globally readable to all users.

We are in Docker, so extra access to files should not be a problem... would they?

Is there a reason for running Certbot as a non-root user?

The files created by the process are visible on the host system, and I would like to control who own them (user and group).

I agree that it is a change, but I think this allow new uses cases, it does not limit the actual uses cases. Would this hurt something somewhere?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.