Docker does not care about user permissions. Why?

Question

I have a docker file userPermissionDenied.df , here is its content:

FROM busybox:1.29
USER 1000:1000
ENTRYPOINT ["nc"]
CMD ["-l", "-p", "80", "0.0.0.0"]

I run the following commands:

> docker image build -t fooimg -f userPermissionDenied.df .
> docker container run fooimg

Now I expect the following output:

> nc: bind: Permission denied

But I am not getting any output at all:

the container just hangs. Why?

I am learning Docker through the Docker in Action by Jeff Nickoloff and that is where I got the use case from.

Answer 1

Given that you are running the nc command as a non-root user (due to the USER 1000:1000 directive in your Dockerfile ), you might expect to see a "permission denied" error of some sort when nc tries to bind port 80.

In earlier versions of Docker that is exactly what would have happened, but a few years ago Docker was modified so that containers run with net.ipv4.ip_unprivileged_port_start=0 , which means there are no longer any "privileged ports": any UID can bind any port.

You can see this setting by running sysctl inside a container:

$ docker run -it --rm -u 1000:1000 alpine sysctl -a |grep net.ipv4.ip_unprivileged_port_start
net.ipv4.ip_unprivileged_port_start = 0

the container just hangs. Why?

The container isn't "hanging"; it is successfully running nc -l -p 80 , which is waiting for a connection to the container on port 80. If you were to use curl or some other tool to connect to port 80 in that container, it would display any data send over the connection and then the container would exit when the connection is closed.