Run without root?

[qdm12]

Hi there!

It would be great if the container could be ran without root (maybe as an option). It seems possible, see this although with only one user I believe.

Thanks!

[atmoz]

That would be possible if you mount your own sshd_config with UsePrivilegeSeparation no and use a custom Dockerfile:

FROM atmoz/sftp:latest
COPY sshd_config /etc/ssh/sshd_config
USER <sftp-user>

I haven't tried it, but this would be my starting point.

[akrepon]

This would not work with entrypoint script since it requires root privileges for creating folders and configurations. Is there any other way to do it?

[windmark]

Hi @atmoz, is there an update on how this works together with the entrypoint script? I'm trying to deploy an SFTP server to Openshift that is not allowed to run root containers.

[bsgrd]

I have the same issue with OpenShift.

Hi @atmoz, is there an update on how this works together with the entrypoint script? I'm trying to deploy an SFTP server to Openshift that is not allowed to run root containers.

I have also tried what was suggested here, but without any luck:

That would be possible if you mount your own sshd_config with UsePrivilegeSeparation no and use a custom Dockerfile:

FROM atmoz/sftp:latest
COPY sshd_config /etc/ssh/sshd_config
USER <sftp-user>

I haven't tried it, but this would be my starting point.

[atmoz]

Have you tried some of the tips from here? https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

[devops-abhishek]

Have you tried some of the tips from here? https://serverfault.com/questions/344295/is-it-possible-to-run-sshd-as-a-normal-user

@atmoz : Can you help for non root configuration for sftp. Link which is shared is not helpful.

[riprasad]

Hello @bsgrd @windmark , Were you able to successfully deploy to OpenShift?

[bsgrd]

Hi @riprasad
I only needed a SFTP server on OpenShift for testing purposes, so i actually ended op creating my own SFTP server using Spring Boot and Apache sshd-sftp
implementation 'org.apache.sshd:sshd-sftp:2.5.1'

That works perfect for my use case.

[taylorjonl]

For anyone coming across this, you can use this to create an image that could work for you:

FROM atmoz/sftp:alpine
EXPOSE 2022

# This was designed to run as user 1000 with a readonly root filesystem.
# It has the following expectation
# /home/tekton/.ssh - mount to user ssh configuration with authorized_keys file
# /opt/ssh/keys - mount to host keys
# /var/run - must be writtable
# If the system has a readonly filesystem you will need to mount a folder
# to contain the files, e.g. /home/tekton/workspace
# e.g.
# docker build -t atmoz:secure .
# docker run --rm -it --read-only -p 22:2022 \
#        -v "$PWD/workspace:/home/tekton/workspace" \
#        -v "$PWD/.ssh:/home/tekton/.ssh" \
#        -v "$PWD/keys:/opt/ssh/keys" \
#        -v "$PWD/run:/var/run" \
#        atmoz:secure

RUN addgroup -S -g 1000 tekton && adduser -S -u 1000 tekton -G tekton -h /home/tekton \
    && mv /etc/ssh /opt/ssh && chown -R 1000:1000 /opt/ssh \
    && sed -i '/^[^#]/ s/\(^ChrootDirectory.*$\)/#\1/' /opt/ssh/sshd_config \
    && sed -i '/^[^#]/ s/\(^HostKey.*$\)/#\1/' /opt/ssh/sshd_config \
    && sed -i 's/etc/opt/g' /opt/ssh/sshd_config \
    && echo "Port 2022" >> /opt/ssh/sshd_config \
    && rm /usr/local/bin/create-sftp-user /entrypoint

USER 1000

ENTRYPOINT /usr/sbin/sshd -D -e -f /opt/ssh/sshd_config \
           -h /opt/ssh/keys/ssh_host_ed25519_key \
           -h /opt/ssh/keys/ssh_host_rsa_key \

This is a little crude but it should work and/or be a starting point.

[riprasad]

Alternative solution is to use this go based sftp server https://github.com/drakkan/sftpgo

[vfiset]

thanks @taylorjonl ! If others like me kept wondering why it works for him and not for you it's because in his example the sftp user and the user that runs the sshd process is the same. If for whichever reason you need to have 2 different users you are fckd.