That's a lot of assumptions, and you aren't really being candid about how many stars would need to align for this to be feasible.įYI: neither of the participants of this thread are treating security as a spectrum - you're both speaking in stupid absolutes and you're both wrong. So you take control of my apache2 container through a shitty wordpress install, get RCE, then break out of the container. Your whole premise seems to be based on 0day exploits that can be used for container breakout + exploits in the (probably) http service my app exposes. Why would I do that when I can just destroy the container and make a new one? > When you go to access the container to see what I broke Sorry how are you doing that? Unless this point assumes I bind-mounted `/bin` into my container like a dumbass, you don't have any foothold.
I'm done here, but you feel free to keep talking. TL DR: You're wrong but you'll downvote me and argue moot points while the other Docker fanboys pound the downvote button so hard their screens shatter.Īh, and no bullshit post would be complete without the victim complex whining as a flourish. But, hey, if you want to be pedantic, sure you can have that one. I said an OS, which, in the context of a conversation about containers, obviously (to anybody who has literally ever worked with containers) means the set of userspace utilities for that distro, not a kernel. You can run a virtual machine and run a OS in the virtual machine in the container but what the hell are you doing? Ergo, it doesn't matter whether it's running as root or some other user, because either way, it has privileges to access all of it. That application needs to be able to access all of it. A correctly built container contains precisely one application, its dependencies, and potentially, a mounted-in volume with some data. In spite of the fact that you're obviously an asshole, I'll break it down for you. I bet you think Docker is a security solution.įunny, because you just revealed that you either (A) are being deliberately obtuse, or (B) don't actually understand containers. Why are you running SSH in some application container, again?Īpache2 can access /var/But you just revealed you have no idea what you're talking about so that's great. Good luck getting into the container, let alone replacing the executable, when it's only running one thing. If you're running containers as root, you most likely don't use SSH keys. Now I likely have access to other things on your box. When you go to access the container to see what I broke and try and fix it I can pop up a fake login prompt on the terminal. I can replace executable etc with malicious ones. If I can get into your container but can't get to the host I still have a foothold. You wouldn't run apache2 as root, why are you running a container that way?īecause, while I build my container images without root, I don't build every container I run, and the kernel provides isolation, making it irrelevant.Įxcept it's not. You should run your containers with less privilege, not more. In all other cases, leaving the permissions up to Docker/k8s is the best option.Īs far as you know. There is no way to run this except as root. There are some containers that NEED privileged access the entire time. In these cases, the container developer can use Option #1, do the things root is needed for first and then become the less privileged user. There are some containers that NEED privileged access to do what they are going to do. You can change it to whatever you want in your docker run command, docker-compose file, or k8s manifests.
All of these containers that "run as root" are doing exactly this. Because it's built in, it takes no effort on the container developers part, except to ensure it CAN run as a non-root user which they would have had to do anyway for option #1. This is work for the container developer.Ģ) Use the UID/GID functionality built in to Docker/k8s.
The container startup has code to become that user. Use Environment variables to set the desired UID/GID. So, there are two options aside from running as root:ġ) Make the container UID/GID aware. It's impossible for the container image to know which user you want it to run as. What Is SelfHosted, As it pertains to this subreddit? Also include hints and tips for less technical readers. We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Service: Blogger - Alternative: WordPress Service: Google Reader - Alternative: Tiny Tiny RSS Service: Dropbox - Alternative: Nextcloud While you're here, please Read This FirstĪ place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.