On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote:
> On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdzi...@redhat.com>
> wrote:
> > > The goal is to run the
> > > docker container such that when the user calls docker run,
> >
> > Is any user allowed to run docker run? That seems like a security
> > issue.
> Well any user that can do sudo should be able to run docker. Is there a
> security issue with that ?

You need to limit those sudo calls to very specific list of
parameters that can be passed to the docker client, otherwise it has
the potential of running any command.

> > > it just drops
> > > into a shell with the container's environment, but everything else looks
> > > largely the same. i.e. The user gets the same uid:gid and sees the same
> > > directories and permissions as the host.
> >
> > So you want bash started in the container, with the uid:gid of the
> > person invoking the command? If the users are trusted to do docker
> > run, they can do
> >
> >         docker run -u $UID container bash
> >
> > themselves.
> Yes, this is similar to the 3rd point I mentioned. The problem though is
> that directory listings will not show names inside the container. They'll

In that case, having sssd-client package installed in the container and
/var/lib/sss mounted to the container could help.

> only show uids and gids. NIS solves this as a quick hack, but is there
> something better ? Permissions would still work since NFS is not
> kerberized. Another issue I haven't figured out is how the user can get
> sudo inside the container. If you start docker with the user's uid, I don't
> know if there is a safe way for that user to get sudo inside. If you start
> docker in the root shell, you can create the user with the uid:gid, add it
> to sudoers, and then change to the user's shell ?


If you have /var/lib/sss mounted and sssd-common (or libsss_sudo
in new versions) installed in the container, you can even use the
sudo rules from IPA.

> > But you likely do not want to give every user a way to run any command,
> > why not just use sudo, and
> >
> >         docker run -u $SUDO_UID container bash
> >
> > in the script invoked with the sudo (untested)?
> I didn't follow this. Can you explain a bit more ? In the default setup,
> you anyway need sudo to run docker.

Not really -- access to docker's Unix socket is all that the docker
client needs.

> What is the -u string here ?

Setting the uid under which the container processes are run back to
the invoking user.

Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to