Comment by ashishb
2 days ago
> docker run super-evil-oci-container
1. That super evil OCI container still needs to find a vulnerability in Docker
2. You can run Docker in rootless mode e.g. Orbstack runs without root
2 days ago
> docker run super-evil-oci-container
1. That super evil OCI container still needs to find a vulnerability in Docker
2. You can run Docker in rootless mode e.g. Orbstack runs without root
They're suggesting that the attacker is in a position to `docker run`. Any attacker in that position has privesc to root, trivially.
Rootless mode requires unprivileged user namespaces, disabled on almost any distribution because it's a huge security hole in and of itself.