Closed srbhklkrn closed 5 months ago
Hi,
Do we have any workaround or guidelines around using IIS with a non-root user (ContainerUser) inside the containers? Any help would be highly appreciated.
+1 - Any update??
Try this into your Dockerfile
# https://woshub.com/set-permissions-on-windows-service/
# ContainerUser's SID is S-1-5-93-2-2`
RUN FOR /F "tokens=*" %a in ('sc sdshow w3svc') do SET serviceDescriptor=%a && `
CALL sc sdset w3svc "%serviceDescriptor:~0,2%(A;;LCRPWP;;;S-1-5-93-2-2)%serviceDescriptor:~2%"
RUN icacls "%windir%\system32\inetsrv\Config" /grant "User Manager\ContainerUser":(CI)(OI)M
USER ContainerUser
ENTRYPOINT ["C:\ServiceMonitor.exe", "w3svc"]
I'm working with the docker image
mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
. I've noticed that the default user for windowsservercore isContainerAdministrator
.If I try to run the image with the user
ContainerUser
docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.8-windowsservercore-ltsc2019
I get the following error:]. I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first of all, is it correct to assume that windowsservercore images must run with
ContainerAdministrator
and cannot run withContainerUser
?If the assumption above is correct I would like to confirm if running the container with
ContainerAdministrator
can expose the container to a security issue. As far as I understand even if theServiceMonitor.exe
is started withContainerAdministrator
the external-facing process is the IIS Windows service, which runs under a local account inIIS_IUSRS
group. So even if an attacker could compromise the application it will not have administrator access to the container. Can anyone confirm if this is correct?Dockerfile: