Theoretically, yes. Easy, no. It all depends on how you set things up. One of the biggest attack surfaces in Dockerland is the Linux kernel itself, which you are by definition giving them access to by providing them shell access in a container.
Yes and no. They are run with a seccomp profile and have a restrictive filesystem, but also run as
root (which is same
root as on host) by default. So there are some nice confining features but some sharp edges as well.
“Easily”, probably not. It would require a more sophisticated attacker than Jane Average Docker User, but is still something you should be worrying about.
As with giving any user privileges to execute code on boxes you own, there will always be risk. But if you must, here’s some ways you can be safer:
USER to run containers as non-root
- Use AppArmor/grsecurity/SELinux type functionality
- Turn off networking functionality and caps (
--cap-drop CAP_BLAH) if not needed in shell containers. If attacker can’t install new software their attack will be much harder.
- Keep detailed auditing and logs of what gets executed on the servers
- Don’t bind mount or otherwise expose resources from host / other containers in containers
Pretty much your standard “secure multi-user UNIX/Linux” layer cake with additional Docker icing really.
There’s probably more I’m forgetting and a variety of resources you can look up to research more. Check out https://www.nccgroup.trust/us/our-research/abusing-privileged-and-unprivileged-linux-containers/