Hi there !
I’m quite new to the Docker World. I read a lot of articles and documentations, but the more I read the more I get lost.
I think my use case is quite simple though.
I want to host several Docker apps on my server. Let’s say Gitea and Owncloud.
Due to their complexity, we never now what kind of new leak we can find in those applications.
So I want to be absolutly sure that, if there is a leak :
- the attacker will not be able to get out of the container (I host other sensitive stuff on my server) to read secrets or mess with stuff.
- the attacker will not be able to mess with the other containers
Okay, so here is what I’ve done so far:
- I created a user “gitea” and added it to the group “docker”
- I created a “data” repository owned by the user “gitea” and strict permissions on it (700)
- I created a .env file with even stricter permissions (400, owned by gitea) and the following content:
USER_UID=[UID of the user “gitea” on host]
USER_GID=[GID of the user “gitea” on host]
Now I read that it is good practice to disable “SETGID” and “SETUID” for the container.
But it seems that my Gitea container uses those capabilities to run as non-root and be able to access the “data” directory.
You will probably tell me that, if they do this, I don’t have to worry about user escalation, but what if they mess things up on a future release for instance ? Or if there is a breach in their design ?
I also read that I could use namespaces to do that. That’s closer to what I want : If I understand well, using a namespace, I am absolutely sure that user escalation can have absolutly no effect as UID 0 in the container will map to a non-existing user on the host. But this brings two more problems to me :
- How can I be sure that It won’t be possible for an attacker to mess with another container (as they are both in the same namespace) ?
- How do I handle the “data” directory ? Should I chown it to [starting subuid range for dockremap]+[UID of the user “gitea” on host] ?
Thanks for your help !