Security of Docker as it runs as root user Security of Docker as it runs as root user docker docker

Security of Docker as it runs as root user


security docker

When you run as root, you can access a broader range of kernel services. For instance, you can:

  • manipulate network interfaces, routing tables, netfilter rules;
  • create raw sockets (and generally speaking, "exotic" sockets, exercising code that has received less scrutiny than good old TCP and UDP);
  • mount/unmount/remount filesystems;
  • change file ownership, permissions, extended attributes, overriding regular permissions (i.e. using slightly different code paths);
  • etc.

(It's interesting to note that all those examples are protected by capabilities.)

The key point is that as root, you can exercise more kernel code; if there is a vulnerability in that code, you can trigger it as root, but not as a regular user.

Additionally, if someone finds a way to break out of a container, if you break out as root, you can do much more damage than as a regular user, obviously.

security docker

You can reboot host machine by echoing to /proc/sysrq-trigger on docker. Processes running as root in docker can do this.

This seems quite good reason not to run processes as root in docker ;)

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last