Non-root user not able to start w3svc service in docker

[srbhklkrn]

I'm working with the docker image mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019. I've noticed that the default user for windowsservercore is ContainerAdministrator.

If I try to run the image with the user ContainerUser docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019 I get the following error:

ERROR: Failed to stop or query status of service 'w3svc' error [80070005

]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?

If the assumption above is correct I would like to confirm if running the container with ContainerAdministratorcan expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?

Dockerfile:

# escape=`

FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019

ENV website-name=WebApp

WORKDIR /

RUN mkdir C:\WebApp

COPY WebApp/ /WebApp

RUN powershell -Command  `
    New-Website -Name 'WebApp' -IPAddress '*' -Port 443 -PhysicalPath C:\WebApp -ApplicationPool 'DefaultAppPool' -Ssl -SslFlags 0; `

USER ContainerUser

ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]