Docker security

From Mike's wiki
Jump to navigation Jump to search

Docker is actually a major security risk on a system where you allow users to start and stop docker containers. A docker container per default uses root as the running user, and thus starting a docker container using some trickeries as a normal user, will compromise system security..

For instance if I wish to compromise system passwords, I can simply do 

mike@Server:~/docker$ docker run --rm  -v /etc:/mnt/etc/   httpd:2.4 cat /mnt/etc/shadow
root:(obfuscated by author)::0:99999:7:::
bin:*:18358:0:99999:7:::
daemon:*:18358:0:99999:7:::

This should NEVER be possible for a user to access private files, a simpilar proces could be used to create a new root user, with a known password, thus elevating a user to root user.

Thus you must remember that any memer of the "docker" group, is per defintiion now root on your system.


Always remember that Docker is NOT virtualization, and it runs in scope of your system..

A solutino to this is to create the file /etc/docker/daemon.json containing 

{
        "userns-remap": "dockeruser",
        "log-driver": "journald",
        "log-opts": {
                "tag": "{{.Name}}"
        },
        "bip": "172.19.0.1/16",
        "dns" : [ "8.8.6.6" , "8.8.8.8" ] 
}

Where you force a namsspace onto docker, where it runs as the user named - dockeruser, and as no more priviliges than a normal user. However you also need to create the user by

useradd dockeruser

And then validate that the correct entries are created in /etc/subuid, and /etc/subgid

  1. grep dockeruser /etc/subuid


dockeruser:1476256:65536



  1. grep dockeruser /etc/subgid


dockeruser:1476256:65536

However all volumes will need to be owned by the above UID, or they will not be able to access the files.. Thus you will need to apply the following on each volume

chown -R 1476256:1476256 .

In my case with the above /etc/subuid, and /etc/subgid. Now the same test as above fails.

# docker run --rm  -v /etc:/mnt/etc/   httpd:2.4 cat /mnt/etc/shadow
cat: /mnt/etc/shadow: Permission denied

As it should..

However Namespaces are relatively new implementations, and they're not complete, and therefore it may be circumventable.

This is however a much better situation than before.

Do not let people get access to docker unless you trust them, or the machine is nothing important, and can easily be recreated.

Retrieved from "https://wiki.ttsh.dk/index.php?title=Docker_security&oldid=61"