Potential security hole?

According to the documentation, the daemon has to get root access to work properly. Let’s say I am a ubuntu limited user who can run docker containers. With the run -v option, it is possible to mount any folder from the filesystem, to any container. Here is an example:

docker run -it -v /root:/test ubuntu:16.04 bash

My host user obviously can’t access what’s in the /root folder. Inside the container, everything that’s in the /test folder, which also is my host’s /root folder, becomes writable.

Is there a way to prevent this? Because I have the feeling that running that command on any server running docker as root can be quite dangerous!

In “vanilla Docker” there’s no such thing. Don’t let users who you don’t trust with root access use Docker. Protect Docker access like you protect root access because it IS root access. You can require sudo to use docker commands, you don’t have to put a user in the docker group.

However, there is authz plugins for granular permissions which you might want to take a look at.

1 Like