User privileges in Docker containers

That’s a neat trick, but it’s also a documented feature:

First of all, only trusted users should be allowed to control your Docker daemon. This is a direct consequence of some powerful Docker features. Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container. This means that you can start a container where the /host directory is the / directory on your host; and the container can alter your host filesystem without any restriction.

I don’t see how adding a user to a Dockerfile really helps since someone can just remove that line from the Dockerfile… the real security best practice is to not let anyone who isn’t already in the sudoers file run docker, because letting someone run docker is giving them root access.

Read more…

Leave a Reply

Your email address will not be published. Required fields are marked *