Potential security hole?

roosoft · August 26, 2016, 4:03pm

According to the documentation, the daemon has to get root access to work properly. Let’s say I am a ubuntu limited user who can run docker containers. With the run -v option, it is possible to mount any folder from the filesystem, to any container. Here is an example:

docker run -it -v /root:/test ubuntu:16.04 bash

My host user obviously can’t access what’s in the /root folder. Inside the container, everything that’s in the /test folder, which also is my host’s /root folder, becomes writable.

Is there a way to prevent this? Because I have the feeling that running that command on any server running docker as root can be quite dangerous!

nathanleclaire · August 26, 2016, 9:02pm

In “vanilla Docker” there’s no such thing. Don’t let users who you don’t trust with root access use Docker. Protect Docker access like you protect root access because it IS root access. You can require sudo to use docker commands, you don’t have to put a user in the docker group.

However, there is authz plugins for granular permissions which you might want to take a look at.

Topic		Replies	Views
Docker security best practice General	1	1329	January 21, 2016
Permission issues with docker run mounted volume General docker	0	789	May 9, 2018
Docker multi tenant security General security	3	2755	January 26, 2018
Why is rootless docker still running as root inside container? General docker	5	4871	March 7, 2023
Accessing files at the root of a container General docker	1	427	April 6, 2023

Potential security hole?

Related topics