Restrict access of other linux user to docker container





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I have two linux users, named as: ubuntu and my_user
Now I build a simple Docker image and also run the Docker container
In my docker-compose.yml, I volume mount some of the files from local machine to the container, which were created by 'ubuntu' user.



Now if I login by 'my_user', and access the docker container created by 'ubuntu' user using docker exec command, then I am able to access any files that are present in the container.



My requirement is to restrict the access of 'my_user', to access the content of Docker container that was created by 'ubuntu' user.










share|improve this question























  • What are you actually trying to achieve here?

    – jonrsharpe
    Nov 16 '18 at 8:03













  • Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

    – malyy
    Nov 16 '18 at 8:47











  • Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

    – Surabhi Dudhediya
    Nov 16 '18 at 8:59


















0















I have two linux users, named as: ubuntu and my_user
Now I build a simple Docker image and also run the Docker container
In my docker-compose.yml, I volume mount some of the files from local machine to the container, which were created by 'ubuntu' user.



Now if I login by 'my_user', and access the docker container created by 'ubuntu' user using docker exec command, then I am able to access any files that are present in the container.



My requirement is to restrict the access of 'my_user', to access the content of Docker container that was created by 'ubuntu' user.










share|improve this question























  • What are you actually trying to achieve here?

    – jonrsharpe
    Nov 16 '18 at 8:03













  • Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

    – malyy
    Nov 16 '18 at 8:47











  • Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

    – Surabhi Dudhediya
    Nov 16 '18 at 8:59














0












0








0


0






I have two linux users, named as: ubuntu and my_user
Now I build a simple Docker image and also run the Docker container
In my docker-compose.yml, I volume mount some of the files from local machine to the container, which were created by 'ubuntu' user.



Now if I login by 'my_user', and access the docker container created by 'ubuntu' user using docker exec command, then I am able to access any files that are present in the container.



My requirement is to restrict the access of 'my_user', to access the content of Docker container that was created by 'ubuntu' user.










share|improve this question














I have two linux users, named as: ubuntu and my_user
Now I build a simple Docker image and also run the Docker container
In my docker-compose.yml, I volume mount some of the files from local machine to the container, which were created by 'ubuntu' user.



Now if I login by 'my_user', and access the docker container created by 'ubuntu' user using docker exec command, then I am able to access any files that are present in the container.



My requirement is to restrict the access of 'my_user', to access the content of Docker container that was created by 'ubuntu' user.







linux docker docker-compose dockerfile






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 16 '18 at 7:35









Surabhi DudhediyaSurabhi Dudhediya

42




42













  • What are you actually trying to achieve here?

    – jonrsharpe
    Nov 16 '18 at 8:03













  • Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

    – malyy
    Nov 16 '18 at 8:47











  • Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

    – Surabhi Dudhediya
    Nov 16 '18 at 8:59



















  • What are you actually trying to achieve here?

    – jonrsharpe
    Nov 16 '18 at 8:03













  • Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

    – malyy
    Nov 16 '18 at 8:47











  • Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

    – Surabhi Dudhediya
    Nov 16 '18 at 8:59

















What are you actually trying to achieve here?

– jonrsharpe
Nov 16 '18 at 8:03







What are you actually trying to achieve here?

– jonrsharpe
Nov 16 '18 at 8:03















Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

– malyy
Nov 16 '18 at 8:47





Not with the core functionality of the Moby/Docker Engine; multi-tenant support and user-management / role-based access control is out of scope, but platforms , such as Docker Enterprise Edition provide that functionality

– malyy
Nov 16 '18 at 8:47













Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

– Surabhi Dudhediya
Nov 16 '18 at 8:59





Hi jonrsharpe, actually I want my container data to be secured such that only one linux user can access those container contents, no other linux user should be able to perform changes in the container data.

– Surabhi Dudhediya
Nov 16 '18 at 8:59












3 Answers
3






active

oldest

votes


















1














This is not possible to achieve currently. If your user can execute Docker commands, it means effectively that the user has root privileges, therefore it's impossible to prevent this user from accessing any files.






share|improve this answer
























  • Can we use any third party utility to achieve this

    – Surabhi Dudhediya
    Nov 16 '18 at 9:46



















0














You can add "ro",means readOnly after the data volumn.Like this



HOST:CONTAINER:ro



Or you can add ReadOnly properties in your docker-compose.yml



Here is an example how to specify read-only containers in docker-compose:
enter image description here






share|improve this answer

































    0














    @surabhi, There is only option to restrict file access by adding fields in docker-compose file.



    read_only: flag to set the volume as read-only



    nocopy: flag to disable copying of data from a container when a volume is created



    You can find more information here






    share|improve this answer
























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53333348%2frestrict-access-of-other-linux-user-to-docker-container%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      3 Answers
      3






      active

      oldest

      votes








      3 Answers
      3






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      1














      This is not possible to achieve currently. If your user can execute Docker commands, it means effectively that the user has root privileges, therefore it's impossible to prevent this user from accessing any files.






      share|improve this answer
























      • Can we use any third party utility to achieve this

        – Surabhi Dudhediya
        Nov 16 '18 at 9:46
















      1














      This is not possible to achieve currently. If your user can execute Docker commands, it means effectively that the user has root privileges, therefore it's impossible to prevent this user from accessing any files.






      share|improve this answer
























      • Can we use any third party utility to achieve this

        – Surabhi Dudhediya
        Nov 16 '18 at 9:46














      1












      1








      1







      This is not possible to achieve currently. If your user can execute Docker commands, it means effectively that the user has root privileges, therefore it's impossible to prevent this user from accessing any files.






      share|improve this answer













      This is not possible to achieve currently. If your user can execute Docker commands, it means effectively that the user has root privileges, therefore it's impossible to prevent this user from accessing any files.







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Nov 16 '18 at 9:05









      Uku LoskitUku Loskit

      31.1k87081




      31.1k87081













      • Can we use any third party utility to achieve this

        – Surabhi Dudhediya
        Nov 16 '18 at 9:46



















      • Can we use any third party utility to achieve this

        – Surabhi Dudhediya
        Nov 16 '18 at 9:46

















      Can we use any third party utility to achieve this

      – Surabhi Dudhediya
      Nov 16 '18 at 9:46





      Can we use any third party utility to achieve this

      – Surabhi Dudhediya
      Nov 16 '18 at 9:46













      0














      You can add "ro",means readOnly after the data volumn.Like this



      HOST:CONTAINER:ro



      Or you can add ReadOnly properties in your docker-compose.yml



      Here is an example how to specify read-only containers in docker-compose:
      enter image description here






      share|improve this answer






























        0














        You can add "ro",means readOnly after the data volumn.Like this



        HOST:CONTAINER:ro



        Or you can add ReadOnly properties in your docker-compose.yml



        Here is an example how to specify read-only containers in docker-compose:
        enter image description here






        share|improve this answer




























          0












          0








          0







          You can add "ro",means readOnly after the data volumn.Like this



          HOST:CONTAINER:ro



          Or you can add ReadOnly properties in your docker-compose.yml



          Here is an example how to specify read-only containers in docker-compose:
          enter image description here






          share|improve this answer















          You can add "ro",means readOnly after the data volumn.Like this



          HOST:CONTAINER:ro



          Or you can add ReadOnly properties in your docker-compose.yml



          Here is an example how to specify read-only containers in docker-compose:
          enter image description here







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 16 '18 at 9:02









          RUL

          11810




          11810










          answered Nov 16 '18 at 8:34









          user10661562user10661562

          12




          12























              0














              @surabhi, There is only option to restrict file access by adding fields in docker-compose file.



              read_only: flag to set the volume as read-only



              nocopy: flag to disable copying of data from a container when a volume is created



              You can find more information here






              share|improve this answer




























                0














                @surabhi, There is only option to restrict file access by adding fields in docker-compose file.



                read_only: flag to set the volume as read-only



                nocopy: flag to disable copying of data from a container when a volume is created



                You can find more information here






                share|improve this answer


























                  0












                  0








                  0







                  @surabhi, There is only option to restrict file access by adding fields in docker-compose file.



                  read_only: flag to set the volume as read-only



                  nocopy: flag to disable copying of data from a container when a volume is created



                  You can find more information here






                  share|improve this answer













                  @surabhi, There is only option to restrict file access by adding fields in docker-compose file.



                  read_only: flag to set the volume as read-only



                  nocopy: flag to disable copying of data from a container when a volume is created



                  You can find more information here







                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Nov 16 '18 at 14:01









                  Jithin BabuJithin Babu

                  316




                  316






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Stack Overflow!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53333348%2frestrict-access-of-other-linux-user-to-docker-container%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Florida Star v. B. J. F.

                      Danny Elfman

                      Lugert, Oklahoma