> Warning: The docker group is equivalent to the root user; For details on how this impacts security in your system, see Docker Daemon Attack Surface for details.
> First of all, only trusted users should be allowed to control your Docker daemon. This is a direct consequence of some powerful Docker features. Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container. This means that you can start a container where the /host directory will be the / directory on your host; and the container will be able to alter your host filesystem without any restriction. This is similar to how virtualization systems allow filesystem resource sharing. Nothing prevents you from sharing your root filesystem (or even your root block device) with a virtual machine.
There's certainly room to discuss "is it possible to delegate hypervisor access without delegating root?", and "can Docker get there from here?", but I think calling this an exploit is pretty far fetched.
It's not an exploit when its a documented, and warned feature that reduces your security since day 1.
"Warning: The docker group is equivalent to the root user; For details on how this impacts security in your system, see Docker Daemon Attack Surface for details."
I did acknowledge that Docker has documented that behaviour, but that doesn't change the fact that it is a insecure-design worth being aware of. Many of the 'Docker tips' blog posts that discuss that behaviour _don't_ mention the insecurity.
> In Docker’s defense, they are aware that this is a security problem, although they apparently have no intention of actually fixing it. About half way down in their security document, they do explain that the ‘docker’ group is root-equivalent and why that is dangerous.
I don't really get all the docker hate/fear as-of-late.
If you're a developer using docker, you should be reading the dockerfiles, reading any referenced shell scripts, and know what the command line arguments you're entering do. You should pretty much always be writing your own dockerfiles based on others adding your specific tweaks and then finally your software. That's what makes docker amazing: it lets you program your environment like an application.
If you're carelessly running docker commands, dockerfiles, docker images, then you're going to expose yourself to the same security problems as if you were carelessly running shell scripts, binaries, or whatever else you don't look at the source and ensure will be safe and secure within your application's environment.
The only thing I can see as a security concern specifically for docker users is the general swiftness of building your environment means developers might rush through it instead of taking the time to understand what is going on under the hood. But this is true of any software designed to ease something once arduous.
I'm pretty new to docker myself so let me know if I am missing a gotcha somewhere.
With that in mind, if you're properly mindful of your software, is there really any (hidden/unforeseen) danger in using the docker group? Certainly makes my life easier with zsh and the docker plugin.
The concern in this example isn't a malicious package, although that's something to be wary of.
If your user account is compromised, an attacker now has root on your entire machine with no additional effort. This is why people are always saying to "not run as root". When you are a member of the Docker group, you're running as root.
On your production servers, that's a significantly larger attack surface for a malicious party. To get full root, they just need to compromise a user account now. That's the unforseen danger, not the packages you download.
Also, this isn't Docker hate. I use it every day and am quite fond of it, which is all the more reason to run it securely ;)
Perhaps this just serves to remind Docker users that containers don't really provide much, if any, isolation. At any particular time there is going to be some sort of privilege escalation available which gives attackers the whole machine. In the face of that reality it isn't really worth much to know about a particular instance.
http://docs.docker.com/installation/ubuntulinux/#create-a-do...
> Warning: The docker group is equivalent to the root user; For details on how this impacts security in your system, see Docker Daemon Attack Surface for details.
http://docs.docker.com/articles/security/
> First of all, only trusted users should be allowed to control your Docker daemon. This is a direct consequence of some powerful Docker features. Specifically, Docker allows you to share a directory between the Docker host and a guest container; and it allows you to do so without limiting the access rights of the container. This means that you can start a container where the /host directory will be the / directory on your host; and the container will be able to alter your host filesystem without any restriction. This is similar to how virtualization systems allow filesystem resource sharing. Nothing prevents you from sharing your root filesystem (or even your root block device) with a virtual machine.
There's certainly room to discuss "is it possible to delegate hypervisor access without delegating root?", and "can Docker get there from here?", but I think calling this an exploit is pretty far fetched.