Context
I am delivering some Python code through Docker and my intention is to prevent the image’s user from reading/writing/copying the files inside the image, yet allow them to run the script.
As a minimal example I have this folder:
root directory/
code/
main.py
resource.json
Dockerfile
Main.py
import json
import os
with open(os.path.join(os.path.dirname(__file__), resource.json), “r”) as f:
resource = json.load(f)
resource_to_write = {“key”: “value”}
with open(os.path.join(os.path.dirname(__file__), “resource_to_write.json”)
resource.json
{“key_to_read”: “value_to_read”}
Dockerfile
FROM python:3.7.10
WORKDIR /code
COPY ./code
CMD ["/bin/bash"]
So the end goal is to allow the user to run code/main.py successfully (including reading/writing) without allowing the user to directly read,write,copy anything from the image.
What I have tried
I know of the USER instruction of Docker, so I tried adding
chmod -R 0660 * && chmod 0665 code/ && chmod 0665 code/main.py
USER non_root _user
But when I do docker exec <container_id> python code/main.py the script does not have the rights to open the json file.
How can I accomplish that? Is there an equivalent of passwordless sudo that I can implement so that the user can run correctly that script without giving them access to anything else?
Or am I approaching this from the wrong angle?
Bonus question
If the above is achieved, how to prevent the user from simply doing docker exec —user root and overcoming my security measures?
