Docker Community Forums

Share and learn in the Docker community.

How to set user/command restrictions on docker container

(Bunjee) #1

I have a docker container and I want to control which users can execute commands using the engine API. What is the easiest way to perform a kind of authorization to my contrainer?
Is there a way to create groups of users who can execute commands or is there a way to restrict the commands that my container will accept?

(David Maze) #2

No, and no. Anyone who can run Docker commands has unrestricted root access on the host. If you possess a copy of a Docker image you can see its entire filesystem contents, and run any command in it. If you can run Docker commands, you can arbitrarily docker exec into any container as any user and run any command.

Plan your security model accordingly.

If you’re tempted to use the docker daemon -H option to expose the Docker socket on a network port, “can run Docker commands” in the paragraph above expands to “can reach the exposed port”.

One of the higher-level orchestrators (Kubernetes, Nomad, Amazon ECS) might help you out here since the general model is that the orchestrator “owns” the system it’s running on, and it can provide a filtering layer around what’s allowed. In Kubernetes you can limit the ability to run containers, mount host paths, or exec into running containers, and let “user” be defined by an existing user database (like your Google domain or AWS IAM), and since you don’t directly run Docker commands the system as a whole is more protected. Even with these controls you still can’t pretend the contents of an image are “private” or “secure”, though.

(Bunjee) #3

Thanks for the detailed answer. What about the “Access authorization plugin”?
I didn’t understand completely how it works but it seems that it provides a kind of restriction, no?