*** This bug is a security vulnerability ***
You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
Hi,
although this is rather obvious, it is still a wide open security gap.
There countless web pages out there in the internet, telling you to
simply run this cool service or these cool tools in a docker container
by simply
- apt install docker.io
- add yourself to the group docker
- docker run something_so_cool
but most people don't realize that they effektively remove the barrier between
their machine's root account and their own account. While things like sudo
require (if configured reasonably) a password, docker opens a wide security
gap, just try
docker run --rm -it -v /root:/origroot -v /etc:/origetc alpine /bin/sh
and you will have write-access to /etc/passwd and
/root/.ssh/authorized_keys under /origetc and /origroot without entering
a password or leaving a trace in the logs.
In contrast, lxd does a better job by using a distinct uid/gid range, and a
similar attempt like
lxc launch -e f hack
lxc config device add hack origroot disk source=/root path=/origroot
lxc config device add hack origetc disk source=/etc path=/origetc
lxc exec hack /bin/bash
does not work unless you've modified /etc/subuid and /etc/subgid
So once an attacker or malware gets access to your account, it has root account
as well, once docker.io is installed and your account is in the docker group.
Even worse, since today there's plenty of tools around continuous
integration/continuous delivery, automatically starting docker images
with compilers and things like that, and thus need and get access to
/var/run/docker.sock, it could make breaking into the machine part of
the compiling process.
I am aware that this might not be seen as an intrinsic gap, rather as a result
of putting yourself into the docker group, being a silly idea. It is, however,
not comprehensible and not obvious for most people, that putting yourself into
such a group will have that impact to enable access to files that do not even
belong to that group. Especially since docker is not anymore a tool you install
only if you understand it. There's tons of web sites telling you „just do this
and you'll get this cool stuff for free”. Lots of people are doing exactly
this, and developers even need this as part of their working process.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 19.03.8-0ubuntu1.20.04.2
ProcVersionSignature: Ubuntu 5.4.0-67.75-generic 5.4.94
Uname: Linux 5.4.0-67-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: LXQt
Date: Fri Apr 9 09:47:33 2021
InstallationDate: Installed on 2020-06-12 (300 days ago)
InstallationMedia: Lubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
SourcePackage: docker.io
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: docker.io (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug focal
--
docker.io opening root access when user is in docker group
https://bugs.launchpad.net/bugs/1923148
You received this bug notification because you are a member of Ubuntu Bugs,
which is subscribed to the bug report.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
