info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
user accounts in docker group
2 views
Skip to first unread message
L L
Jan 20, 2023, 10:50:05 PM1/20/23
to
The banner at the top of https://wiki.debian.org/Docker says:
"The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. Access to Docker commands effectively grants full root power."
I'm trying to test this. I put my own user account in the docker group (and can execute docker commands with it).
Then I tried to see if I can use Docker to write a file to a root-owned directory without using sudo or su. I used these commands:
docker run debian -dit /bin/bash #start a container
docker cp /home/me/some-file container-id:/some-file #put a file into the container
docker cp container-id:/some-file /etc/some-file #copy the file from the container into somewhere I shouldn't be able to write to
I got:
open /etc/some-file: permission denied
Is the wiki out of date and it's completely safe to have user accounts in the docker group?
Is the wiki correct but I'm exploiting group membership wrong?
"The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. Access to Docker commands effectively grants full root power."
I'm trying to test this. I put my own user account in the docker group (and can execute docker commands with it).
Then I tried to see if I can use Docker to write a file to a root-owned directory without using sudo or su. I used these commands:
docker run debian -dit /bin/bash #start a container
docker cp /home/me/some-file container-id:/some-file #put a file into the container
docker cp container-id:/some-file /etc/some-file #copy the file from the container into somewhere I shouldn't be able to write to
I got:
open /etc/some-file: permission denied
Is the wiki out of date and it's completely safe to have user accounts in the docker group?
Is the wiki correct but I'm exploiting group membership wrong?
Yongun Seong
Jan 21, 2023, 2:50:05 AM1/21/23
to
docker run -v /:/host -it debian
Which I expect would give you root access to the "host" system inside
the container, under /host.
Alex Mestiashvili
Jan 21, 2023, 11:10:05 AM1/21/23
to
(belongs to the docker group) he has root access to the host system.
See example here:
https://www.youtube.com/watch?v=CB9Aa6QeRaI
0 new messages