

Privilege Escalation via Docker - chrisfosterelli
https://fosterelli.co/privilege-escalation-via-docker.html

======
willglynn
"Privilege escalation" implies a vulnerability, but this behavior is by design
and -- as the author notes -- already documented.

[http://docs.docker.com/installation/ubuntulinux/#create-a-
do...](http://docs.docker.com/installation/ubuntulinux/#create-a-docker-group)

> Warning: The docker group is equivalent to the root user; For details on how
> this impacts security in your system, see Docker Daemon Attack Surface for
> details.

[http://docs.docker.com/articles/security/](http://docs.docker.com/articles/security/)

> First of all, only trusted users should be allowed to control your Docker
> daemon. This is a direct consequence of some powerful Docker features.
> Specifically, Docker allows you to share a directory between the Docker host
> and a guest container; and it allows you to do so without limiting the
> access rights of the container. This means that you can start a container
> where the /host directory will be the / directory on your host; and the
> container will be able to alter your host filesystem without any
> restriction. This is similar to how virtualization systems allow filesystem
> resource sharing. Nothing prevents you from sharing your root filesystem (or
> even your root block device) with a virtual machine.

There's certainly room to discuss "is it possible to delegate hypervisor
access without delegating root?", and "can Docker get there from here?", but I
think calling this an exploit is pretty far fetched.

------
wyaeld
It's not an exploit when its a documented, and warned feature that reduces
your security since day 1.

"Warning: The docker group is equivalent to the root user; For details on how
this impacts security in your system, see Docker Daemon Attack Surface for
details."

FUD

~~~
chrisfosterelli
Fair enough, you could make that argument!

I did acknowledge that Docker has documented that behaviour, but that doesn't
change the fact that it is a insecure-design worth being aware of. Many of the
'Docker tips' blog posts that discuss that behaviour _don't_ mention the
insecurity.

------
MadcapJake
I don't really get all the docker hate/fear as-of-late.

If you're a developer using docker, you should be reading the dockerfiles,
reading any referenced shell scripts, and know what the command line arguments
you're entering do. You should pretty much always be writing your own
dockerfiles based on others adding your specific tweaks and then finally your
software. That's what makes docker amazing: it lets you program your
environment like an application.

If you're carelessly running docker commands, dockerfiles, docker images, then
you're going to expose yourself to the same security problems as if you were
carelessly running shell scripts, binaries, or whatever else you don't look at
the source and ensure will be safe and secure within your application's
environment.

The only thing I can see as a security concern specifically for docker users
is the general swiftness of building your environment means developers might
rush through it instead of taking the time to understand what is going on
under the hood. But this is true of any software designed to ease something
once arduous.

I'm pretty new to docker myself so let me know if I am missing a gotcha
somewhere.

With that in mind, if you're properly mindful of your software, is there
really any (hidden/unforeseen) danger in using the docker group? Certainly
makes my life easier with zsh and the docker plugin.

~~~
chrisfosterelli
The concern in this example isn't a malicious package, although that's
something to be wary of.

If your user account is compromised, an attacker now has root on your entire
machine with no additional effort. This is why people are always saying to
"not run as root". When you are a member of the Docker group, you're running
as root.

On your production servers, that's a significantly larger attack surface for a
malicious party. To get full root, they just need to compromise a user account
now. That's the unforseen danger, not the packages you download.

Also, this isn't Docker hate. I use it every day and am quite fond of it,
which is all the more reason to run it securely ;)

------
upofadown
Perhaps this just serves to remind Docker users that containers don't really
provide much, if any, isolation. At any particular time there is going to be
some sort of privilege escalation available which gives attackers the whole
machine. In the face of that reality it isn't really worth much to know about
a particular instance.

------
biot
See also: privilege escalation via wheel group.

~~~
bandrami
Err... but you don't run your app server (or anything that talks to it) in the
wheel group, do you?

