Risks/caveats of using default root user

[patrickkunka]

I'm slightly out of my depth here but I'll try my best to explain.

In the docs, it suggests usage of the deno user over root. This works fine when running my deno container locally, but when running on EC2, with the deno cli --allow-write flag passed, I am unable to write to a mounted disk due to a permissions error:

PermissionDenied: Permission denied (os error 13)

Removing USER deno from my Dockerfile (and falling back to root) fixes this, but I wanted to understand if there are any particular reasons to be aware of, that I should not do this.

Thank you

[hayd]

You have to ensure that deno USER has write permission for the directory you want to write to (you can change this prior to setting USER deno).

Docker does remove some of these necessities (It's not as important to lock a container down as it would be a real machine) but generally it's good practice to restrict as much as possible (so that if it is compromised it doesn't have sudo access) i.e. "least privileged user".

What I would usually do is set the WORKDIR to /app and have that as owned by the deno user, or alternatively mount a volume.

This is certainly optional.

https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
(There are probably better references!)