Do not install privilege escalation tools like sudo, su, or doas in containers unless they are explicitly required for the application's functionality. Most containers run as root by default, making sudo redundant and potentially creating security vulnerabilities by expanding the attack surface.
Do not install privilege escalation tools like sudo, su, or doas in containers unless they are explicitly required for the application’s functionality. Most containers run as root by default, making sudo redundant and potentially creating security vulnerabilities by expanding the attack surface.
Before adding privilege escalation tools, consider:
Example of what to avoid:
# Unnecessary - container already runs as root
RUN apt-get update && \
apt-get install -y sudo
Example of better approach:
# Perform operations directly as root during build
RUN apt-get update && \
apt-get install -y required-package
This practice reduces the container’s attack surface and follows the principle of least privilege by not providing unnecessary tools that could be exploited by attackers.
Enter the URL of a public GitHub repository