![docker run as root in container docker run as root in container](https://i.stack.imgur.com/zmXrc.png)
- DOCKER RUN AS ROOT IN CONTAINER INSTALL
- DOCKER RUN AS ROOT IN CONTAINER FULL
- DOCKER RUN AS ROOT IN CONTAINER CODE
![docker run as root in container docker run as root in container](https://phoenixnap.com/kb/wp-content/uploads/2021/04/how-to-use-docker-run-command-with-examples.png)
Eventually some StackExchange discussion pointed me to a concept known as UID remapping (subuids). It’s hidden deep in the documentation and took me while to find. None of these options were enabled by default when I CURL-installed Docker on my system, nor was I warned that I’d need to secure things manually.
DOCKER RUN AS ROOT IN CONTAINER INSTALL
Luckily, since Docker’s approach to secure by default through apparmor, seccomp, and dropping capabilitiesģ seconds to get root on my host with a default Docker install doesn’t look like “secure by default” to me. Given that many companies are doing auto-deployments, and have probably given docker daemon access to a deployment user, your build server is now effectivaly also root on all your build slaves, dev, uat and perhaps even production systems. However, they fail to mention that giving a user control of your Docker daemon is basically the same as giving them root access. Only trusted users should be allowed to control your Docker daemon They do make some casual remarks about not giving access to the docker daemon to untrusted users in the Security section of the documentation:
![docker run as root in container docker run as root in container](https://www.cloudsavvyit.com/p/uploads/2019/06/c454d054.png)
We want to ensure that Docker Enterprise Edition can be used in a manner that meets the requirements of various security and compliance standards.Įither that same courtesy does not extend to the community edition, security by default is no longer a requirement, or it’s a completely false claim. Secure by default: Easily build safer apps, ensure tamper-proof transit of all app components and run apps securely on the industry’s most secure container platform. Some choice bullshit quotes from the Docker frontpage and documentation: This is in line with the modern stance on security in the tech world: “security? What’s that?” Docker goes so far as to call them “non-events”. As far as I know, it hasn’t been fixed in the latest Docker, nor will it be fixed in future versions. There’s plenty more including all kinds of privilege escalation vulnerabilities from inside container, etc. In fact, it’s one of the less worrisome ones. I don’t need to report this, because it is a well-known vulnerability. The root.sh file simply copies the rootshell binary to the volume and sets the setuid bit on it: #!/bin/sh This isn’t strictly needed, but most shells and many other programs refuse to run as a setuid binary.
DOCKER RUN AS ROOT IN CONTAINER CODE
The rootshell file is a binary compiled from the following source code ( rootshell.c): int main() Here’s what the Dockerfile looks like: FROM alpine:3.5 So all you have to do is write a setuid root owned binary to the volume, which will then appear as a setuid root binary on the host in that volume too. By default, processes in a container also run as root. When you mount a volume into a container, that volume is mounted as root.
![docker run as root in container docker run as root in container](https://resources.jetbrains.com/help/img/idea/2021.3/03_DockerSettings.png)
Remember, this is on the Docker host, not in a container or anything! How does it work? I know I said 10 in the title, but the number 10 has special SEO properties. $ docker run -v /tmp/persist:/persist docker2root:latest /bin/sh root.sh So how hard is it to exploit this and become root on the host if you are a member of the docker group? Not very hard at all… $ id
DOCKER RUN AS ROOT IN CONTAINER FULL
You see, the Docker daemon runs as root and when you add users to the docker group, they get full access over the Docker daemon. What is not obvious right away is that this is basically the same as giving those users root access. For example, an automated build process may need a user on the target system to stop and recreate containers for testing or deployments. Alright, on with the show!Ī common practice is to add users that need to run Docker containers on your host to the docker group. That was just one of those clickbaity things everybody seems to like so much these days. Root your Docker host in 10 seconds for fun and profitĭisclaimer: There is no actual profit.