Vaultwarden don't run as non-root in process monitor

Help
1

Hello @ all,

i have a problem to start vaultwarden with docker-compose as non-root user.
User is named vaultwarden with uid/gid 1001.
In container logs will everything looks good, no errors.

This is my config:

version: ‘3’

services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
user: 1001:1001
restart: always
environment:
- ADMIN_TOKEN=admintoken
- DATABASE_URL=mysql://vaultwarden:password@ip/vaultwarden
- DOMAIN=https://domain.tld
- INVITATIONS_ALLOWED=false
- LOG_LEVEL=info
- ROCKET_PORT=8080
- SIGNUPS_ALLOWED=false
- SIGNUPS_VERIFY=true
- SMTP_FROM_NAME=Vaultwarden
- SMTP_HOST=mailhoster
- SMTP_FROM=vaultwarden
- SMTP_PORT=587
- SMTP_SSL=true
- SMTP_EXPLICIT_TLS=true
- SMTP_USERNAME=email
- SMTP_PASSWORD=password
- TZ=Europe/Berlin
#- WEBSOCKET_ENABLED=true
logging:
driver: syslog
options:
syslog-address: “udp://10.10.20.4:514”
tag: “Vaultwarden”
ports:
- 8080:8080
volumes:
- /vw-data:/data/

The Container will start and running fine, but when i look with htop or top i can see that the docker process runs with user root.

Thank for your help.

With best regards,
Dirtydan

2

Running with docker environment variables such as user: 1001:1001 does NOT change how the docker process is run, this only changes who the user is running within the container itself.
So with uid/gid 1001:1001, this will run the Vaultwarden docker container as that process instead of root inside of the container.

This means any files the Vaultwarden container writes to the persistent volumes mapped from your host, will write those files as uid/gid 1001, and are owned by that user.

Inside the container you may see errors about the user 1001 not being recognized. This is because though the kernel is shared, the container is not aware of user 1001 as it was not created in the container and only created on the host. This is okay though because ether process will still run as user 1001 and those files will still be written with permissions for user 1001 properly.

If you are looking to run the docker service itself as a non-root user, then you will want to look into running docker in rootless mode.

Basically this is completely separate set of issues. One being file permissions VS best practice security concerns.
Docker by itself is fairly robust and handles containerization and security well with namespaces and the like, the concern would be in the event there is an unknown zero-day exploit or vulnerability with docker, and if your instance is publicly accessible, someone who is able to gain root within a container could escalate to root outside of the container.

Another more common concern may be that the system administrator is someone different from the app administrator, if Vaultwarden is being run on a service account uid 1001 and needs to run docker that user id typically added to the docker users group.
Adding users to the docker group effectively provides root access.

If running docker rootless then, so long as all other pre-requisites are met, then the non-root user 1001 can install docker rootless and run docker containers without needing to added to the docker group and granting root level access.