USER does not work.

[leveryd]

docker run -e USER=root -ti --rm owasp/modsecurity-crs:3.3.5-nginx-alpine-202401080101

➜  ~ docker exec -ti 2d9c96809969 sh
/usr/share/nginx/html # ps aux
PID   USER     TIME  COMMAND
    1 root      0:00 nginx: master process nginx -g daemon off;
  125 nginx     0:00 nginx: worker process
  126 nginx     0:00 nginx: worker process
  127 nginx     0:00 nginx: worker process
  128 nginx     0:00 nginx: worker process
  129 root      0:00 sh
  136 root      0:00 ps aux

I have set USER=root , but the nginx process user is still nginx.

[fzipi]

Thanks, give is some time to check upstream to see why this doesn't work as expected.

[theseion]

TBH, it doesn't really make sense to me to set USER at start time. If at all, then USER should be a build parameter. If we'd want to support setting the user at start time we would have to do the following:

• create the user if it doesn't exist (belonging to which group?)
• change access permissions for some directories
• possibly modify the configuration to specify other directories to work in
• switch to the specified user

Not only would we likely open up some security holes, this would have to happen at ever start. I don't think it's a good idea. If, however, the purpose is solely to run as root, we could change the variable to "RUN_AS_ROOT", although I don't see why that would make sense either.

We also wanted to switch to the unprivileged image anyway.

My proposal: drop support setting the USER (the USER environment variable can still be overwritten by setting it). I would also drop it for httpd. Setting the user may make sense in a classical environment but it doesn't make sense to me in containers.

[fzipi]

You are right @theseion. For nginx we don't user the USER variable at all. It should be set aroud here.

Regarding the proposal, probably it makes sense to drop support for the USER anyway.