The banner at the top of https://wiki.debian.org/Docker says:
"The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. Access to Docker commands effectively grants full root power." I'm trying to test this. I put my own user account in the docker group (and can execute docker commands with it). Then I tried to see if I can use Docker to write a file to a root-owned directory without using sudo or su. I used these commands: docker run debian -dit /bin/bash #start a container docker cp /home/me/some-file container-id:/some-file #put a file into the container docker cp container-id:/some-file /etc/some-file #copy the file from the container into somewhere I shouldn't be able to write to I got: open /etc/some-file: permission denied Is the wiki out of date and it's completely safe to have user accounts in the docker group? Is the wiki correct but I'm exploiting group membership wrong?
