✦ For everyone, free.

Practical knowledge for real and everyday life

Home

4.2.11.4 USER Runtime Permissions

A focused guide to USER Runtime Permissions, connecting core concepts with practical Docker and container operations.

USER runtime permissions describes the actual set of privileges a container's main process has once it is running as the user specified by USER, which determines what filesystem operations, network bindings, and system calls that process is actually allowed to perform.

What Changes When Running as Non-Root

A non-root process is subject to standard Unix permission checks: it can only read, write, or execute files it has been granted permission to, and it cannot perform operations that require root privileges, such as binding to ports below 1024 without additional configuration.

USER appuser
EXPOSE 8080
CMD ["node", "server.js"]

Listening on port 8080 works fine for a non-root user, since ports above 1024 do not require elevated privileges.

Binding to Privileged Ports as Non-Root

Applications that need to bind to a port below 1024 while still running as a non-root user typically need either an explicit capability grant or to be designed to listen on a higher port internally, with that port mapped to a privileged one externally.

docker run -p 80:8080 myapp

Mapping host port 80 to container port 8080 lets the application listen on an unprivileged port internally while still being reachable on the standard HTTP port externally.

Limited Filesystem Access

A non-root user's filesystem access is limited to whatever has been explicitly granted, which is precisely the protective effect intended — a compromised process running as this restricted user cannot read or modify files outside of what it was deliberately given access to.

docker exec myapp cat /etc/shadow

This typically fails for a properly configured non-root user, since that file is not normally readable by anyone other than root.

Verifying Actual Runtime Permissions

Directly testing what a running container's process can and cannot do is the most reliable way to confirm the intended permission restrictions are actually in effect.

docker exec myapp id
docker exec myapp ls -la /app
Why Understanding Runtime Permissions Matters

A clear understanding of exactly what a non-root user can and cannot do at runtime is essential both for correctly configuring an application to work within those restrictions, and for appreciating the genuine security benefit those restrictions provide.

Related content