This pattern allows a non-root container user to run utilities that use file-based credentials (e.g., gh, git) while limiting direct access to those credentials files. Credentials are mounted into root's home read by utilities run using sudo.
If a priviledged utility can be instructed to read arbitrary files or dump credentials, no security is provided beyond obfuscation. This pattern can be useful to prevent accidental reads or low-complexity exploits but will not block access. A proxy-based approach, combined with credentials injection in the request, is better.
gh auth token
git diff /dev/null /root/.ssh/id_rsa
Using gh and git as examples:
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y sudo gh git && rm -rf /var/lib/apt/lists/*
RUN useradd -m developer
# Passwordless sudo for gh and git only
RUN echo 'ALL ALL=(ALL) NOPASSWD: /usr/bin/gh, /usr/bin/git' > /etc/sudoers.d/nopasswd \
&& chmod 440 /etc/sudoers.d/nopasswd
# Wrapper functions so commands transparently run as root
RUN echo 'gh() { sudo /usr/bin/gh "$@"; }' >> /home/developer/.bashrc \
&& echo 'git() { sudo /usr/bin/git "$@"; }' >> /home/developer/.bashrc
USER developer
WORKDIR /home/developerdocker run -it \
-v ~/.ssh:/root/.ssh:ro \
-v ~/.config/gh:/root/.config/gh:ro \
-v ~/.gitconfig:/root/.gitconfig:ro \
your-image- Container runs as
developer(non-root) - Host credentials are mounted into
/root/(only root can read them) - The shell wrappers are invoked transparently and run utilities via sudo
- The non-root user cannot read credential files directly