none
Docker RRS feed

  • Question

  • Hi,
    I'm working with the docker image "mcr.microsoft.com/dotnet/framework/aspnet". I've noticed that the default user for windowsservercore is ContainerAdministrator. If I try to run the image with the user ContainerUser (docker run -u ContainerUser mcr.microsoft.com/dotnet/framework/aspnet:4.7.2-windowsservercore-ltsc2019) I get the following error: ERROR: Failed to stop or query status of service 'w3svc' error [80070005].
    I think that the error is related to the permissions that the user needs to run ServiceMonitor. So, first off all, is it correct to assume that windowsservercore images must run with ContainerAdministrator and cannot run with ContainerUser?
     
    If the assumption above is correct I would like to confirm if running the container with ContainerAdministrator can expose the container to a security issue. As far as I understand even if the ServiceMonitor.exe is started with ContainerAdministrator the external facing process is the IIS Windows service, which runs under a local account in IIS_IUSRS group. So even if an attacker could compromise the application it will not have an administrator access to the container. Can anyone confirm if this is correct?
    Tuesday, May 14, 2019 11:33 AM