← Back to context

Comment by danbreuer

3 days ago

It can't easily, Docker should not be naively treated as a security solution. It's very easy to misconfigure it:

- The Docker daemon runs as root: any user in the docker group effectively also has sudo (--privileged)

- Ports exposed by Docker punch through the firewall

- In general, you can break the security boundary towards root (not your user!) by mounting the wrong things, setting the wrong flags etc.

What Docker primarily gives you is a stupid (good!) solution for having a reproducible, re-settable environment. But containers (read: magic isolated box) are not really a good tool to reason about security in Linux imo.

If you are a beginner, instead make sure you don't run services as the sudo-capable/root user as a first step. Then, I would recommend you look into Systemd services: you can configure all the Linux sandboxing features Docker uses and more. This composes well with Podman, which gives you a reproducible environment (drop-in replacement for Docker) but contained to an unprivileged user.

8 comments

danbreuer

Reply
fugue88  3 days ago

I agree with what you wrote, and add that you should make sure that your service's executables and scripts also should not be owned by the user they run as.

It's unfortunately very common to install, for example, a project as the "ubuntu" user and also run it as the "ubuntu" user. But this arrangement effectively turns any kind of file-overwrite vulnerability into a remote-execution vulnerability.

Owning executables as root:root, perms 0755, and running as a separate unprivileged user, is a standard approach.

smnc  3 days ago

> - Ports exposed by Docker punch through the firewall

I've been using ufw-docker [1] to force ufw and docker to cooperate. Without it, Docker ports do actually get exposed to to the Internet. As far as I can tell, it does its job correctly. Is there another problem I am not aware of?

[1] https://github.com/chaifeng/ufw-docker

msgodel  3 days ago

Docker keeps well behaved programs well behaved. You can escape in one line of shell.

  • edoceo  3 days ago

    How? Like if I have a Debian-Slim container running it's possible to "break-out" onto the host?

    • msgodel  3 days ago

      Yup that's trivially easy if you have permissions to use mknod and mount. (and if the file system namespace looks like it normally does all you need is mount.)

      Docker is for organizing things for yourself, just like directories are. If you want actual isolation you have to take extra steps.

      EDIT: and I feel like I should add those extra steps are exactly what most server software does automatically when it chroots itself. Again docker is really just for organizing things.

      3 replies →