Validate use of 'root' user by Processes and Tasks

acosta11 · acosta11 · commit c5fcbde42ba0 · 2025-07-14T14:58:12.000-07:00
* Policy implementation because we rely on current process.docker? db
  state
* Initial implementation only allows root user for docker lifecycle Apps
diff --git a/app/models/runtime/constraints/process_user_policy.rb b/app/models/runtime/constraints/process_user_policy.rb
@@ -9,6 +9,9 @@ def initialize(process, allowed_users)
 
   def validate
     return if @process.user.blank?
+
+    return if @process.docker? && @process.user.downcase == 'root' && VCAP::CloudController::Config.config.get(:allow_process_root_user)
+
     return if @allowed_users.map(&:downcase).include?(@process.user.downcase)
 
     @errors.add(:user, sprintf(ERROR_MSG, requested_user: quote_user(@process.user), allowed_users: formatted_users_for_error))
diff --git a/app/models/runtime/process_model.rb b/app/models/runtime/process_model.rb
@@ -576,8 +576,6 @@ def permitted_users
     end
 
     def docker_run_action_user
-      return AppModel::DEFAULT_CONTAINER_USER unless docker?
-
       desired_droplet&.docker_user.presence || (Config.config.get(:allow_process_root_user) ? AppModel::DEFAULT_DOCKER_CONTAINER_USER : AppModel::DEFAULT_CONTAINER_USER)
     end
 
diff --git a/spec/unit/models/runtime/constraints/process_user_policy_spec.rb b/spec/unit/models/runtime/constraints/process_user_policy_spec.rb
@@ -44,6 +44,38 @@
     end
   end
 
+  context 'when process belongs to a Docker lifecycle app' do
+    let(:process) { VCAP::CloudController::ProcessModelFactory.make({ docker_image: 'example.com/image' }) }
+
+    context 'when root user is allowed' do
+      before do
+        TestConfig.override(allow_process_root_user: true)
+      end
+
+      context 'when the process specifies the root user' do
+        let(:process_user) { 'root' }
+
+        it 'is valid' do
+          expect(validator).to validate_without_error(process)
+        end
+      end
+    end
+
+    context 'when root user is not allowed' do
+      before do
+        TestConfig.override(allow_process_root_user: false)
+      end
+
+      context 'when the process specifies the root user' do
+        let(:process_user) { 'root' }
+
+        it 'is not valid' do
+          expect(validator).to validate_with_error(process, :user, sprintf(ProcessUserPolicy::ERROR_MSG, requested_user: "'root'", allowed_users: "'vcap', 'ContainerUser'"))
+        end
+      end
+    end
+  end
+
   describe 'case insensitivity' do
     context 'when user is allowed, but does not match case' do
       let(:process_user) { 'vCaP' }
