On Thu, Jun 4, 2015 at 9:52 AM, Christopher Samuel <[email protected]> wrote:
> One thing that has occurred to me is that the whole point of containers > is that they are using the kernel namespace features and so whilst the > user inside the container is root that is only inside their own user > namespace, that does not (should not!) correspond to root on the host > itself (there's a mapping file to determine who they are mapped to). While strictly true, depending on what elements are provided/allowed within the container, host-level root can be obtained even within the protected namespace. Device access, for example, or write access to /proc or /sys. There are messages fairly regularly on the Docker mailing list from the Docker Inc. security team which advise folks not to rely on container security to protect the host from container-root. root access also gets interesting when you factor in networking and NFS. :-) The real solution is for Docker to facilitate execution of containers as non-root, but it's not clear how far down on their roadmap it is.... Michael -- Michael Jennings <[email protected]> Senior HPC Systems Engineer High-Performance Computing Services Lawrence Berkeley National Laboratory Bldg 50B-3209E W: 510-495-2687 MS 050B-3209 F: 510-486-8615
