Recently, I began to use docker for my lab’s server. The server is a Linux server with Ubuntu server 18.04 installed. Users’ login authentication is using Windows Active Directory (AD). My current solution to run non-root docker is by adding users to
However, I found a severe security problem. AD user
A can run docker container as any other user
docker run -u B's uid:B's gid. In the container,
A can get all
The proper way to run non-root docker may be the newly introduced ‘Rootless mode’, The problem is that rootless mode need newuidmap and newgidmap, but AD users are not listed in /etc/passwd and /etc/subuid etc, which means rootless mode and as well as
userns-remap mode cannot be used for my situation (i.e. AD auth).
Is there any method to tackle this issue? Thanks so much.
StackOverflow post: link