1.
RUN echo 'root:Docker!' | chpasswd
or
RUN echo 'Docker!' | passwd --stdin root 2.
For the bash command specifically, I added in the .bashrc file the command exit at the end of the file, so the user logs in and finally kicked out, but users still can use sh command.
3.
docker exec :id -it /bin/rm -R /bin/*
That gets rid of sh and any bin useful command in linux. I'm unsure what you'd do to get into the container at that point. Though I know that you might be able to use a memory debugger to get environment variables of the running container, but it makes it that much more annoying... I wonder if theres a way to lock down that memory in ring 0 and take away ssh access altogether to the host.
If anyone knows how to crack that, I would be interested in knowing how.
EDIT
You want to use docker secrets if you're protecting sensitive information. Check out: