I have seen this topic brought up before in various places (e.g., old google forum), but cannot find anything specific on how this might be handled by Docker itself now, or if this type of security hole can be mitigated at all.
Network Scenario
A networked environment of computers, all having NFS mounts pointing to home directories of individual users. Users can log on to any machine where their home directory is then available to them.
Docker Execution Scenario
Docker images are available to the docker daemon running on any given machine, in this case scientific software. Currently, all docker commands are wrapped and not exposed, i.e., no end-user is required to interact with the command line to execute or manage the containers in any way, this is achieved through an electron app that executes the docker calls directly through the Docker API.
Security Hole
However, since Docker containers execute as root, and moreover, since a Docker container can be executed with the -u flag specifying any UID, a malicious user can easily achieve the following:
- Build a simple container providing a /bin/bash command line
- Start it, specifying a UID of some other user
- Proceed to user’s home directory and delete all their files
Worse, someone really out to ruin a person’s life could place some illegal content there and then contact the authorities. Granted, some extreme examples, however, since the possibility exists and can be thought of, unless there is a way to close such a hole, Docker will simply not be allowed to exist in this sort of environment.
So my question is: has this been thought about in any real way: how to handle multi-user execution environments where Docker can exist but can’t be used to make life hard on other people?
Alternatively, if there are tricks to hack a secure environment somehow, I’m happy to entertain all possibilities.