On 1/21/23 04:42, L L wrote:
The banner at the top of https://wiki.debian.org/Docker
<https://wiki.debian.org/Docker> says:
"The Docker daemon has setUID root, and by design allows easy access as
root to the host filesystem. This makes it trivial for a malicious user
to read and alter sensitive system files, or for a careless user to
allow a malicious containerized app to do so. Access to Docker commands
effectively grants full root power."
I'm trying to test this. I put my own user account in the docker group
(and can execute docker commands with it).
Then I tried to see if I can use Docker to write a file to a root-owned
directory without using sudo or su. I used these commands:
docker run debian -dit /bin/bash #start a container
docker cp /home/me/some-file container-id:/some-file #put a file into
the container
docker cp container-id:/some-file /etc/some-file #copy the file
from the container into somewhere I shouldn't be able to write to
I got:
open /etc/some-file: permission denied
Is the wiki out of date and it's completely safe to have user accounts
in the docker group?
Is the wiki correct but I'm exploiting group membership wrong?
Docker is insecure by design. If a user has access to the docker socket
(belongs to the docker group) he has root access to the host system.
See example here:
https://www.youtube.com/watch?v=CB9Aa6QeRaI
