> ## Documentation Index
> Fetch the complete documentation index at: https://guide.codepure.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Ensure User Created (CIS 4.1)

> Containers should run as a non-root user to minimize security risks

## Impact & Risk Analysis

* **Severity:** High
* **CIS Benchmark:** CIS 4.1
* **Impact:** **Privilege Escalation & Bind Mount Issues.** By default, containers run with root privileges. This increases the risk of privilege escalation if the container is compromised. Additionally, running as root can create permission challenges when bind-mounting volumes from the underlying host.

## Common Misconfiguration

Failing to create a specific user in the Dockerfile or failing to switch to that user using the `USER` directive. By default, Docker containers run as the root user inside the container.

## Vulnerable Example

```dockerfile theme={null}
# Vulnerable Dockerfile
# No USER directive is specified, so this runs as Root (UID 0)
FROM ubuntu:22.04

WORKDIR /app
COPY . .

# Default behavior:
# The process started by CMD will have full root privileges
CMD ["./start-app.sh"]

```

## Secure Example

```dockerfile theme={null}
# Secure Dockerfile
FROM ubuntu:22.04

# Create a specific user before the USER instruction
RUN useradd -d /home/appuser -m -s /bin/bash appuser

WORKDIR /app

# Ensure the new user owns the application files
COPY --chown=appuser:appuser . .

# Switch to the non-root user
USER appuser

CMD ["./start-app.sh"]

```

## Alternative Remediation (Entrypoint Script)

If it is not possible to set the `USER` directive in the Dockerfile (e.g., you need root to install dependencies at runtime), use a script to drop privileges:

```bash theme={null}
#!/bin/bash
# entrypoint.sh
# Do root work here (if absolutely necessary)
chown -R appuser:appuser /app/data

# Switch to non-root user to run the main process
exec gosu appuser "$@"

```

## Audit Procedure

To verify if a container is running as root, run the following command on the host:

```bash theme={null}
# Verify UID
docker ps --quiet | xargs --max-args=1 -I{} docker exec {} cat /proc/1/status | grep '^Uid:' | awk '{print $3}'

```

* **Result:** This returns the effective UID.
* **Fail:** If it returns `0`, the container process is running as root.
* **Pass:** If it returns a non-zero ID (e.g., `1000`), it is compliant.
