Package: docker.io Version: 0.11.1~dfsg1-1 Severity: normal Docker, at least as currently available in Debian, seems not to provide any form of user id isolation between containers and the host system.
For example, if I install apache inside a docker container, and also install it in the host system, then they will both run as www-data, uid 33. If the apache on the host system is compromised, it can then attack the apache process running inside the docker container, which has the same uid. As a simple example, it can kill the process. <puts palm on temple> I am receiving a message from the docker.io maintainers. They say, "don't do that then!" <raps table> Well, I did that because this didn't seem to be documented anywhere. The docs just say that docker provides a container with isolation. Documenting in README.Debian that the host system should be kept minimal, like a Xen dom0 tends to be kept minimal, might help avoid this kind of mistake. Probably worth mentioning that if you have a regular uid 1000 user in the host system, they can mess with any containers that themselves have a regular uid 1000 user. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages docker.io depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.18 ii iptables 1.4.21-2 ii libapparmor1 2.8.0-5+b1 ii libc6 2.18-7 ii libdevmapper1.02.1 2:1.02.85-1 ii libsqlite3-0 3.8.4.3-3 ii perl 5.18.2-4 Versions of packages docker.io recommends: ii aufs-tools 1:3.2+20130722-1.1 ii ca-certificates 20140325 ii cgroupfs-mount 1.0 ii git 1:2.0.0~rc4-1 ii xz-utils 5.1.1alpha+20120614-2 Versions of packages docker.io suggests: pn btrfs-tools <none> ii debootstrap 1.0.60 pn lxc <none> pn rinse <none> -- no debconf information -- see shy jo
signature.asc
Description: Digital signature

