Saturday, January 27, 2018

docker group security risk

The Docker doc spells out that there are security concerns of adding a user to the docker group. Unfortunately, they do not precisely give what the concern is. I guess that is a "security-by-obscurity" approach trying to avoid bad things. Practice show this isn't useful: the bad guys know anyways, and the casual user has a bad time understanding the actual risk involved.

It is considerable, so let me explain at least one risk (I have not tried exhaustively check security issues):  The containers are usually defined to run as root user. This permits you to bypass permission checks on the host.

Let’s assume a $USER is inside the docker group and otherwise has just installed docker. So he can run
$ docker run -v/etc:/malicious -ti --rm alpine
# cd /malicious
# vi sudoers
.... edit, write ...
# ctl-D
As such, the user can modify system config that he could not access otherwise. It’s a real risk. If you have a one-person “personal” machine/VM where the user has sudo permissions in any case … I’d say it’s no real issue.

The story is a different one on e.g. a CI machine.  It's easy to inject bad code into public pull requests, and so it'll run on the CI platform. Usually (before spectre/meltdown...), this was guarded by the (low) permissions of the CI worker user (if you run CI with a sudo-enabled user ... nothing changed). When you enable it to use docker, you now get this new class of attack vector. Don't get me wrong: I do NOT advocate against using docker in CI. Right the opposite, it's an excellent tool there. I just want to make you aware that you need to consider and mitigate another attack vector.

No comments:

simplifying rsyslog JSON generation

With RESTful APIs, like for example ElasticSearch, you need to generate JSON strings. Rsyslog will soon do this in a very easy to use way. ...