Container started under system-wide user uid=100 (systemd-network)

[mrkeuz]

Hi, thanks for good project! Just works! 🚀🚀🚀

I have some issue/proposal.

Now I'm configuring tor-socks-proxy container for 24/7 on home server. So have couple thoughts.

Issue

By your receipt my container started as uid=100. In my case it is systemd-network user. Despite in Dockerfile user is tor. Probably, It is because specific user mapping during build. Although my system tor user have strictly defined UID.

Anyway intersection with system-wide uid=100 (systemd-network) it is bad security practice. I think.

Proposal

I propose change receipts and add some defined but numeric UID. Using numeric uid let us isolate container from other system even host system user is not exists.

For example my receipt for fix it (uid=9155), reduced:

FROM alpine:3.16

...

COPY --chown=9155:9155 torrc /etc/tor/
RUN chown 9155:9155 /var/lib/tor

...

USER 9155
EXPOSE 8853/udp 9150/tcp

CMD ["/usr/bin/tor", "-f", "/etc/tor/torrc"]

Compose:

---
version: "3.8"

services:
  tor-socks-proxy:
    container_name: tor-socks-proxy
    build: .
    user: "9155:9155"
    ports:
      - "0.0.0.0:9153:8853/udp"
      - "0.0.0.0:9153:8853/tcp"
      - "0.0.0.0:9155:9150/tcp"
    restart: always

What you think about this?

Env:

Ubuntu 20.04
Docker version 20.10.17