cloudfoundry
diff --git a/‎app/actions/deployment_create.rb
Lines changed: 1 addition & 0 deletions b/‎app/actions/deployment_create.rb
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/actions/process_update.rb
Lines changed: 1 addition & 0 deletions b/‎app/actions/process_update.rb
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/messages/process_update_message.rb
Lines changed: 11 additions & 1 deletion b/‎app/messages/process_update_message.rb
Lines changed: 11 additions & 1 deletion
diff --git a/‎app/models.rb
Lines changed: 1 addition & 0 deletions b/‎app/models.rb
Lines changed: 1 addition & 0 deletions
diff --git a/‎app/models/runtime/constraints/process_user_policy.rb
Lines changed: 26 additions & 0 deletions b/‎app/models/runtime/constraints/process_user_policy.rb
Lines changed: 26 additions & 0 deletions
diff --git a/‎app/models/runtime/process_model.rb
Lines changed: 25 additions & 5 deletions b/‎app/models/runtime/process_model.rb
Lines changed: 25 additions & 5 deletions
diff --git a/‎app/presenters/v3/process_presenter.rb
Lines changed: 1 addition & 0 deletions b/‎app/presenters/v3/process_presenter.rb
Lines changed: 1 addition & 0 deletions
diff --git a/‎config/cloud_controller.yml
Lines changed: 1 addition & 0 deletions b/‎config/cloud_controller.yml
Lines changed: 1 addition & 0 deletions
diff --git a/‎db/migrations/20250610212414_add_user_to_processes.rb
Lines changed: 13 additions & 0 deletions b/‎db/migrations/20250610212414_add_user_to_processes.rb
Lines changed: 13 additions & 0 deletions
diff --git a/‎docs/v3/source/includes/api_resources/_processes.erb
Lines changed: 3 additions & 0 deletions b/‎docs/v3/source/includes/api_resources/_processes.erb
Lines changed: 3 additions & 0 deletions
@@ -113,6 +113,7 @@ def clone_existing_web_process(app, revision, process_instances)
           state: ProcessModel::STOPPED,
           instances: process_instances,
           command: command,
+          user: web_process.user,
           memory: web_process.memory,
           file_descriptors: web_process.file_descriptors,
           disk_quota: web_process.disk_quota,
 
@@ -31,6 +31,7 @@ def update(process, message, strategy_class)
         end
 
         process.command              = strategy.updated_command if message.requested?(:command)
+        process.user                 = message.user if message.requested?(:user)
         process.health_check_timeout = message.health_check_timeout if message.requested?(:health_check_timeout)
 
         process.health_check_invocation_timeout = message.health_check_invocation_timeout if message.requested?(:health_check_invocation_timeout)
 
@@ -3,7 +3,7 @@
 
 module VCAP::CloudController
   class ProcessUpdateMessage < MetadataBaseMessage
-    register_allowed_keys %i[command health_check readiness_health_check]
+    register_allowed_keys %i[command user health_check readiness_health_check]
 
     # rubocop:disable Metrics/CyclomaticComplexity
     def initialize(params={})
@@ -25,6 +25,10 @@ def self.command_requested?
       @command_requested ||= proc { |a| a.requested?(:command) }
     end
 
+    def self.user_requested?
+      @user_requested ||= proc { |a| a.requested?(:user) }
+    end
+
     validates_with NoAdditionalKeysValidator
 
     validates :command,
@@ -33,6 +37,12 @@ def self.command_requested?
               allow_nil: true,
               if: command_requested?
 
+    validates :user,
+              string: true,
+              length: { in: 1..255, message: 'must be between 1 and 255 characters' },
+              allow_nil: true,
+              if: user_requested?
+
     validates :health_check_type,
               inclusion: {
                 in: [HealthCheckTypes::PORT, HealthCheckTypes::PROCESS, HealthCheckTypes::HTTP],
 
@@ -63,6 +63,7 @@
 require 'models/runtime/constraints/readiness_health_check_policy'
 require 'models/runtime/constraints/docker_policy'
 require 'models/runtime/constraints/sidecar_memory_less_than_process_memory_policy'
+require 'models/runtime/constraints/process_user_policy'
 require 'models/runtime/revision_model'
 require 'models/runtime/revision_process_command_model'
 require 'models/runtime/revision_sidecar_model'
 
@@ -0,0 +1,26 @@
+class ProcessUserPolicy
+  ERROR_MSG = 'invalid (requested user %<requested_user>s not allowed, permitted users are: %<allowed_users>s)'.freeze
+
+  def initialize(process, allowed_users)
+    @process = process
+    @allowed_users = allowed_users
+    @errors = process.errors
+  end
+
+  def validate
+    return if @process.user.blank?
+    return if @allowed_users.map(&:downcase).include?(@process.user.downcase)
+
+    @errors.add(:user, sprintf(ERROR_MSG, requested_user: quote_user(@process.user), allowed_users: formatted_users_for_error))
+  end
+
+  private
+
+  def formatted_users_for_error
+    @allowed_users.map { |u| quote_user(u) }.join(', ')
+  end
+
+  def quote_user(user)
+    "'#{user}'"
+  end
+end
@@ -13,7 +13,7 @@
 require_relative 'buildpack'
 
 module VCAP::CloudController
-  class ProcessModel < Sequel::Model(:processes)
+  class ProcessModel < Sequel::Model(:processes) # rubocop:disable Metrics/ClassLength
     include Serializer
 
     plugin :serialization
@@ -34,7 +34,8 @@ def after_initialize
     NO_APP_PORT_SPECIFIED = -1
     DEFAULT_HTTP_PORT     = 8080
     DEFAULT_PORTS         = [DEFAULT_HTTP_PORT].freeze
-    UNLIMITED_LOG_RATE    = -1
+    DEFAULT_USER = 'vcap'.freeze
+    UNLIMITED_LOG_RATE = -1
 
     many_to_one :app, class: 'VCAP::CloudController::AppModel', key: :app_guid, primary_key: :guid, without_guid_generation: true
     many_to_one :revision, class: 'VCAP::CloudController::RevisionModel', key: :revision_guid, primary_key: :guid, without_guid_generation: true
@@ -267,7 +268,8 @@ def validation_policies
         ReadinessHealthCheckPolicy.new(self, readiness_health_check_invocation_timeout, readiness_health_check_type, readiness_health_check_http_endpoint,
                                        readiness_health_check_interval),
         DockerPolicy.new(self),
-        PortsPolicy.new(self)
+        PortsPolicy.new(self),
+        ProcessUserPolicy.new(self, permitted_users)
       ]
     end
 
@@ -391,6 +393,12 @@ def started_command
       specified_commands[type] || revision.droplet&.process_start_command(type) || ''
     end
 
+    def run_action_user
+      return user if user.present?
+
+      docker? ? docker_run_action_user : DEFAULT_USER
+    end
+
     def specified_or_detected_command
       command.presence || detected_start_command
     end
@@ -446,15 +454,15 @@ def debug
 
     delegate :cnb?, to: :app
 
+    delegate :windows_gmsa_credential_refs, to: :app
+
     def database_uri
       service_binding_uris = service_bindings.map do |binding|
         binding.credentials['uri'] if binding.credentials.present?
       end.compact
       DatabaseUriGenerator.new(service_binding_uris).database_uri
     end
 
-    delegate :windows_gmsa_credential_refs, to: :app
-
     def max_app_disk_in_mb
       VCAP::CloudController::Config.config.get(:maximum_app_disk_in_mb)
     end
@@ -564,6 +572,18 @@ def open_ports
 
     private
 
+    def permitted_users
+      Set.new([DEFAULT_USER]) + Config.config.get(:additional_allowed_process_users)
+    end
+
+    def docker_run_action_user
+      return DEFAULT_USER unless docker?
+
+      docker_exec_metadata = Oj.load(execution_metadata)
+      container_user = docker_exec_metadata['user']
+      container_user.presence || 'root'
+    end
+
     def non_unique_process_types
       return [] unless app
 
 
@@ -28,6 +28,7 @@ def to_hash
             version: process.version,
             type: process.type,
             command: redact(process.specified_or_detected_command),
+            user: process.run_action_user,
             instances: process.instances,
             memory_in_mb: process.memory,
             disk_in_mb: process.disk_quota,
 
@@ -67,6 +67,7 @@ maximum_app_disk_in_mb: 2048
 max_retained_deployments_per_app: 100
 max_retained_builds_per_app: 100
 max_retained_revisions_per_app: 100
+additional_allowed_process_users: ['ContainerUser']
 
 broker_client_default_async_poll_interval_seconds: 60
 broker_client_max_async_poll_duration_minutes: 10080
 
@@ -0,0 +1,13 @@
+Sequel.migration do
+  up do
+    alter_table :processes do
+      add_column :user, String, null: true, default: nil, size: 255 unless @db.schema(:processes).map(&:first).include?(:user)
+    end
+  end
+
+  down do
+    alter_table :processes do
+      drop_column :user if @db.schema(:processes).map(&:first).include?(:user)
+    end
+  end
+end
@@ -3,6 +3,7 @@
   "guid": "6a901b7c-9417-4dc1-8189-d3234aa0ab82",
   "type": "web",
   "command": "rackup",
+  "user": "vcap",
   "instances": 5,
   "memory_in_mb": 256,
   "disk_in_mb": 1024,
@@ -80,6 +81,7 @@
       "guid": "6a901b7c-9417-4dc1-8189-d3234aa0ab82",
       "type": "web",
       "command": "[PRIVATE DATA HIDDEN IN LISTS]",
+      "user": "vcap",
       "instances": 5,
       "memory_in_mb": 256,
       "disk_in_mb": 1024,
@@ -141,6 +143,7 @@
       "guid": "3fccacd9-4b02-4b96-8d02-8e865865e9eb",
       "type": "worker",
       "command": "[PRIVATE DATA HIDDEN IN LISTS]",
+      "user": "vcap",
       "instances": 1,
       "memory_in_mb": 256,
       "disk_in_mb": 1024,