search

microsoft / iis-docker

Dockerfile for IIS
https://hub.docker.com/r/microsoft/iis/
MIT License
288 stars 128 forks source link

Non-root user not able to start w3svc service in docker #181

Closed srbhklkrn closed 5 months ago

srbhklkrn commented 3 years ago

I'm working with the docker image mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019. I've noticed that the default user for windowsservercore is ContainerAdministrator.

If I try to run the image with the user ContainerUser docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019 I get the following error:

ERROR: Failed to stop or query status of service 'w3svc' error [80070005

]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?

If the assumption above is correct I would like to confirm if running the container with ContainerAdministratorcan expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external-facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?

Dockerfile:

# escape=`

FROM mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019

ENV website-name=WebApp

WORKDIR /

RUN mkdir C:\WebApp

COPY WebApp/ /WebApp

RUN powershell -Command  `
    New-Website -Name 'WebApp' -IPAddress '*' -Port 443 -PhysicalPath C:\WebApp -ApplicationPool 'DefaultAppPool' -Ssl -SslFlags 0; `

USER ContainerUser

ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]
rawahars commented 3 years ago

Hi,

Do we have any workaround or guidelines around using IIS with a non-root user (ContainerUser) inside the containers? Any help would be highly appreciated.

paulofrazao commented 1 year ago

+1 - Any update??

LeVraiSylvain commented 1 year ago

Try this into your Dockerfile

# https://woshub.com/set-permissions-on-windows-service/
# ContainerUser's SID is S-1-5-93-2-2`
RUN FOR /F "tokens=*" %a in ('sc sdshow w3svc') do SET serviceDescriptor=%a && `
    CALL sc sdset w3svc "%serviceDescriptor:~0,2%(A;;LCRPWP;;;S-1-5-93-2-2)%serviceDescriptor:~2%"
RUN icacls "%windir%\system32\inetsrv\Config" /grant "User Manager\ContainerUser":(CI)(OI)M

USER ContainerUser

ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]