[GH-ISSUE #84] Request: Run as unprivileged user by default (docker image) #55

New issue

Closed

opened 2026-03-15 12:19:01 +03:00 by kerem · 1 comment

kerem commented 2026-03-15 12:19:01 +03:00

Owner

Copy link

Originally created by @LeoniePhiline on GitHub (Apr 3, 2023).
Original GitHub issue: https://github.com/axllent/mailpit/issues/84

Hi!

First of all, thank you for creating and sharing mailpit! ❤️

To increase runtime security, it would be great if the default dockerfile could run as an unprivileged user, instead of root.

See also good old MailHog's Dockerfile: https://github.com/mailhog/MailHog/blob/master/Dockerfile

What do you think?

Originally created by @LeoniePhiline on GitHub (Apr 3, 2023). Original GitHub issue: https://github.com/axllent/mailpit/issues/84 Hi! First of all, thank you for creating and sharing mailpit! ❤️ To increase runtime security, it would be great if the default dockerfile could run as an unprivileged user, instead of `root`. See also good old MailHog's `Dockerfile`: https://github.com/mailhog/MailHog/blob/master/Dockerfile What do you think?

kerem closed this issue 2026-03-15 12:19:06 +03:00

kerem commented 2026-03-15 12:19:12 +03:00

Author

Owner

Copy link

@axllent commented on GitHub (Apr 3, 2023):

Thanks for using Mailpit! I must admit that I considered this initially when I created the Docker image, but intentionally decided not to actually implement it. I found the disadvantages heavily outweighed the benefits of using a non-root alternative:

1. There is nothing stopping anyone from running their Docker container as any user they like (docs). Users savvy enough to specify a user in their Docker command would also understand the implications of permissions on any mounted volumes / directories.
2. I predicted that by setting a default non-root user I would get a constant stream of error reports when users were trying to use persistent storage, given that docker will create volumes and/or create mounted directories as root, requiring additional steps for anyone using these options to have to take additional steps to manually change their mount points' permissions, either on the host OS, or via docker itself (which isn't overly easy when the docker container is failing to start because Mailpit doesn't have read/write permissions to the storage volume / path).
3. Users wanting to run Mailpit in Docker using port 25 would hit issues as non-root users are blocked from running services below post 1024. I know they could simply map the ports via Docker, but there would always be some that would try.
4. In my opinion, running the Mailpit service as root within Docker is really not much of a security risk, if any at all, given that it is literally just Mailpit running within the container, Mailpit does not run any system commands, and it is running within Docker which separated it from the host OS. I cannot think of a single situation whereby Mailpit could be abused to "jailbreak" from Docker, or do anything it was never intended to. On that note too, Mailpit isn't a public-facing service, but a developer tool.
5. Switching now to running as a default non-root user will definitely cause upstream issues with anyone who has already provisioned environments with persistent storage, as existing mount points and database files will be root-owned. The only work-around for this would be to introduce some "init system" whereby the system is still started as root, and the startup scripts would chown/chmod the mounted volumes/directories to that of the "wanted user", however that introduces overhead and complications, not to mention the permission changes to the user's mount points. It also means that root is still being used, so how much is one "winning", if anything....

So my point is, I believe that switching to any non-root user by default is not a good option at all, and would not address any security concern I could imagine. As I mentioned in the first point, there is nothing stopping you from running it as any user ID or group you like, just by adding Docker arguments.

I hope my logic/reasoning makes sense to you?

<!-- gh-comment-id:1494918346 --> @axllent commented on GitHub (Apr 3, 2023): Thanks for using Mailpit! I must admit that I considered this initially when I created the Docker image, but intentionally decided not to actually implement it. I found the disadvantages heavily outweighed the benefits of using a non-root alternative: 1. There is nothing stopping anyone from running their Docker container as any user they like ([docs](https://docs.docker.com/engine/reference/run/#user)). Users savvy enough to specify a user in their Docker command would also understand the implications of permissions on any mounted volumes / directories. 2. I predicted that by setting a default non-root user I would get a constant stream of error reports when users were trying to use persistent storage, given that docker will create volumes and/or create mounted directories as root, requiring additional steps for anyone using these options to have to take additional steps to manually change their mount points' permissions, either on the host OS, or via docker itself (which isn't overly easy when the docker container is failing to start because Mailpit doesn't have read/write permissions to the storage volume / path). 3. Users wanting to run Mailpit in Docker using port 25 would hit issues as non-root users are blocked from running services below post 1024. I know they could simply map the ports via Docker, but there would always be some that would try. 4. In my opinion, running the Mailpit service as root within Docker is really not much of a security risk, if any at all, given that it is literally just Mailpit running within the container, Mailpit does not run any system commands, and it is running within Docker which separated it from the host OS. I cannot think of a single situation whereby Mailpit could be abused to "jailbreak" from Docker, or do anything it was never intended to. On that note too, Mailpit isn't a public-facing service, but a developer tool. 5. Switching now to running as a default non-root user will definitely cause upstream issues with anyone who has already provisioned environments with persistent storage, as existing mount points and database files will be root-owned. The only work-around for this would be to introduce some "init system" whereby the system is still started as root, and the startup scripts would chown/chmod the mounted volumes/directories to that of the "wanted user", however that introduces overhead and complications, not to mention the permission changes to the user's mount points. It also means that root is still being used, so how much is one "winning", if anything.... So my point is, I believe that switching to any non-root user by default is not a good option at all, and would not address any security concern I could imagine. As I mentioned in the first point, there is nothing stopping you from running it as any user ID or group you like, just by adding Docker arguments. I hope my logic/reasoning makes sense to you?

kerem referenced this issue 2026-03-15 14:18:16 +03:00

[PR #55] [MERGED] Bump golang.org/x/image from 0.3.0 to 0.5.0 #422

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

master

v1.29.7

v1.29.6

v1.29.5

v1.29.4

v1.29.3

v1.29.2

v1.29.1

v1.29.0

v1.28.4

v1.28.3

v1.28.2

v1.28.1

v1.28.0

v1.27.11

v1.27.10

v1.27.9

v1.27.8

v1.27.7

v1.27.6

v1.27.5

v1.27.4

v1.27.3

v1.27.2

v1.27.1

v1.27.0

v1.26.2

v1.26.1

v1.26.0

v1.25.1

v1.25.0

v1.24.2

v1.24.1

v1.24.0

v1.23.2

v1.23.1

v1.23.0

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.21.1

v1.21.0

v1.20.7

v1.20.6

v1.20.5

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.18.7

v1.18.6

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.1

v1.15.0

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.0

v1.10.4

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.9.10

v1.9.9

v1.9.8

v1.9.7

v1.9.6

v1.9.5

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.8.4

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.7.1

v1.7.0

v1.6.22

v1.6.21

v1.6.20

v1.6.19

v1.6.18

v1.6.17

v1.6.16

v1.6.15

v1.6.14

v1.6.13

v1.6.12

v1.6.11

v1.6.10

v1.6.9

v1.6.8

v1.6.7

v1.6.6

v1.6.5

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.5

v1.5.4

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.0

v1.3.11

v1.3.10

v1.3.9

v1.3.8

v1.3.7

v1.3.6

v1.3.5

v1.3.4

v1.3.3

v1.3.2

v1.3.1

v1.3.0

v1.2.9

v1.2.8

v1.2.7

v1.2.6

1.2.5

1.2.4

1.2.3

1.2.2

1.2.1

1.2.0

1.1.7

1.1.6

1.1.5

1.1.4

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta1

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9

0.0.8

0.0.7

0.0.6

0.0.5

0.0.4

0.0.3

0.0.2

0.0.1-beta

Labels

Clear labels   

awaiting feedback

  

bug

  

docker

  

documentation

  

enhancement

  

github_actions

  

invalid

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

wontfix

No labels

awaiting feedback

bug

docker

documentation

enhancement

github_actions

invalid

pull-request

question

stale

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/mailpit#55

No description provided.