Use default shell for non-root user in non-distroless images

[lbussell]

Fixes #4467

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this PR. If you have write-permissions please help me learn by adding exactly one area label.

[MichaelSimons]

Consider added test coverage for this in VerifyCommonDefaultUser. The goal would be to ensure consistency across our images and to prevent unintentional regressions in the future.

[lbussell]

OK, I tried to write a test for this and came away with some learning.

1. When we remove the --shell /bin/false line, the default shell for the app user becomes /sbin/nologin, which is like /bin/false but instead of immediately exiting, prints "This account is not available". They're functionally equivalent.
2. The reason you still get a shell when running docker run -it -u app <container> is because the -u app argument only tells docker which user to run your process as, not which shell to use in interactive mode. For that, it looks at the entrypoint/CMD, which for alpine (where I've been testing), is /bin/sh: https://github.com/alpinelinux/docker-alpine/blob/d8ed1701dac37e1b6db026bec0a26be683288074/x86_64/Dockerfile#L3

Therefore, I'm not sure if there's a point to ever specify /bin/false, unless another distro has different behavior without specifying a shell. I'll do some research on that. I guess we could write a test to check /etc/passwd and make sure that non-root users, if they exist, have either /bin/false or /sbin/nologin set as their login shell.

[mthalman]

Consider added test coverage for this in VerifyCommonDefaultUser. The goal would be to ensure consistency across our images and to prevent unintentional regressions in the future.

Given that this has essentially the same functional behavior between the old definition and the new definition, the change here is basically cosmetic. I don't see much value having a test for it. Consistency across the Dockerfiles should be provided by the templates. So the test's conditional logic would essentially mirror the conditions in the templates. I'm all for tests but I want to them to have high value. Each test we add has an impact on pipeline performance and I want to avoid death by a thousand paper cuts.

[lbussell]

I ran the test against all our distros and found the following default shells when no shell is specified at user creation:

alpine3.17     /sbin/nologin
bookworm       /bin/sh
cbl-mariner2.0 /bin/bash
jammy          /usr/sbin/nologin

Obviously distroless images don't have a shell. Do you still think we should leave these as default or continue setting /bin/false for consistency?

[mthalman]

I think all distroless Dockerfiles should use /bin/false and everything else should be left unset (keep the default).