Docker security

From Mike's wiki
Revision as of 10:52, 4 January 2023 by Mike (talk | contribs)
Jump to navigation Jump to search

Docker is actually a major security risk on a system where you allow users to start and stop docker containers. A docker container per default uses root as the running user, and thus starting a docker container using some trickeries as a normal user, will compromise system security..

For instance if I wish to compromise system passwords, I can simply do 

mike@Server:~/docker$ docker run --rm  -v /etc:/mnt/etc/   httpd:2.4 cat /mnt/etc/shadow
root:(obfuscated by author)::0:99999:7:::
bin:*:18358:0:99999:7:::
daemon:*:18358:0:99999:7:::

This should NEVER be possible for a user to access private files, a simpilar proces could be used to create a new root user, with a known password, thus elevating a user to root user.

Thus you must remember that any memer of the "docker" group, is per defintiion now root on your system.


Always remember that Docker is NOT virtualization, and it runs in scope of your system.. I have not yet found any mechanism for preventing system access, though name spaces may resolve this.

Retrieved from "https://wiki.ttsh.dk/index.php?title=Docker_security&oldid=7"