Bug#742387: group docker == local root

2014-03-26 Thread Tianon Gravi 
Hi Joey!  Thanks for the report. :)

 Note README.Debian does not indicate that the docker group gives the
 user root, either inside or outside the container.

I've updated README.Debian in git to note the root-equivalence of the
docker group (and any other means of access to the Docker API), and
included a link to some further reading for the security implications of
Docker itself.

 the absurdly bad impleentation of the check is
 ... worrying.

I agree; if the check was to prevent root access, it is absurdly bad,
but trying to do so while still allowing bind mounts would also be
effectively futile, IMO.  My understanding upstream when this check was
introduced (and I raised the question of why bother with the check at
all) is that it was to prevent docker.io run -v /$MYVAR:/mnt ... from
accidentally mounting / and the potential problems that might cause
(especially if the image you're running is expecting to use /mnt as a
user-provided playground).

♥,
- Tianon


signature.asc
Description: Digital signature

Bug#742387: group docker == local root

2014-03-22 Thread Joey Hess 
Package: docker.io
Version: 0.9.0+dfsg1-1
Tags: security
Severity: important

joey@darkstar:~docker.io  run -v /:/mnt -t -i  mydebian  bash2014/03/22 
22:56:23 Invalid bind mount: source can't be '/'
joey@darkstar:~ docker.io  run -v ../../../:/mnt -t -i  debian  bash
root@b7647a89f0d7:/# wc -l  /mnt/etc/shadow
42 /mnt/etc/shadow

IMHO, this is a straight-up security hole. Non-root users should not be
allowed to expose outside system paths into the container. The check for
/ implies I'm right; the absurdly bad impleentation of the check is
... worrying.

Note README.Debian does not indicate that the docker group gives the
user root, either inside or outside the container.

  As noted in the upstream documentation (https://docs.docker.io), Docker will
  allow non-root users in the docker group to access docker.sock and thus
  communicate with the daemon.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages docker.io depends on:
ii  adduser  3.113+nmu3
ii  init-system-helpers  1.18
ii  iptables 1.4.21-1
ii  libapparmor1 2.8.0-5+b1
ii  libc62.18-4
ii  libdevmapper1.02.1   2:1.02.83-2
ii  libsqlite3-0 3.8.3.1-1
ii  perl 5.18.2-2+b1

Versions of packages docker.io recommends:
ii  aufs-tools   1:3.2+20130722-1.1
ii  ca-certificates  20140223
ii  git  1:1.9.1-1
ii  xz-utils 5.1.1alpha+20120614-2

docker.io suggests no packages.

-- no debconf information

-- 
see shy jo


signature.asc
Description: Digital signature