Using #PowerShell Direct to Circumvent the USER Directive in Dockerfile #WindowsContainer

When using the USER directive in Dockerfile, all subsequent commands are forced to run as the specified user. This is a security feature to prevent processes from changing the configuration inside the container. But this is a nightmare when troubleshooting because you cannot make changes to the container trying to fix the issue at hand. Luckily, there is a way around this security feature when running containers on Windows.

Consider the following container which forces all processes inside the container to run as the user called jailed:

FROM microsoft/windowsservercore

RUN net user jailed /add
USER jailed

Let’s quickly build the image (calling it jailimage), start the container called jailtest, and store the container ID:

docker build -t jailimage .
docker run -d --name jailtest jailimage ping -t localhost
$Id = & docker inspect --format "{{.ID}}" jailtest

As soon as you begin to troubleshoot the behaviour, running docker exec only allows you to analyze as the user jailed:

docker exec $Id whoami

But fortunately, Microsoft has added a feature called PowerShell Direct to enter virtual machines and containers from the host without relying on a network connection. Remoting cmdlets support a new parameter called -ContainerId to execute commands inside the container with the specified ID. And you can even force an administrative session to be started using the -RunAsAdministrator:

Invoke-Command -ContainerId $Id -ScriptBlock {whoami}
#user manager\containeruser
Invoke-Command -ContainerId $Id -ScriptBlock {whoami} -RunAsAdministrator
#user manager\containeradministrator

Needless to say, the same works for interactive sessions using Enter-PSSession:

Enter-PSSession -ContainerId $Id -RunAsAdministrator

By the way, similar commands also work against VMs when using Invoke-Command, Enter-PSSession and New-PSSession.

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.