What are the potential security problems running untrusted code in a Docker container as a non-root user?

Asked 27/8, 2015 at 19:21 Answered 12/10, 2016 at 4:21

I've seen plenty of ink spilled by now about how Docker is not sufficiently isolated to allow arbitrary containers to be run in a multi-tenant environment, and that makes sense. "If it's root in Docker, consider it root in the host machine." What about non-root though?

If I want to take some untrusted code and run it in a container, can it be done safely so long as the container is running as a non-root non-sudo user? What are the potential security pitfalls of doing something like that?

I'm fairly sure there are production applications doing this today (CI systems, runnable pastebins), but are they just lucky not to have had a determined attacker or is this a reasonable thing to do in a production system?

Mudcat answered 27/8, 2015 at 19:21 Comment(3)

+1 Really interested in the answers to this one. I could volunteer that running as root gives you write access to system files that are part of the Docker image. I guess an imaginative piece of malware could use this to exploit a vulnerability that might exist within the Docker host's kernel. – Wattle 27/8, 2015 at 19:37

I'm voting to close this question as off-topic (even though it's an interesting one). It will be best answered at security.stackexchange.com – Tenotomy 27/8, 2015 at 19:37

It's ok to post Docker admin questions on SO. It's been discussed several times: meta.stackexchange.com/search?q=docker – Arleen 28/8, 2015 at 10:19

As of Docker v1.12, if one runs a container as a non-root user with user namespaces enabled, there are two levels of privilege escalation a malicious actor needs to perform in order to become root on host:

Escalate from non-root to root user inside container
Escalate to root user in container to root user on the host

So in case untrusted code is run inside a Docker container as non-root user, it will be slightly more difficult for an attacker to become root on host, since we add an extra step of becoming root inside container. That's the only advantage in terms of security compared to running containers with root privileges.

In case of privilege escalation through both layers of security, following should help restrict the attack surface:

Workloads(more specifically docker containers, in this context) with different trust levels should be isolated from each other by use of overlay networks following least privilege principle.
Enabling available Linux security module in enforcement mode(e.g. SELinux, AppArmor)

References:

Running with non-root privileges inside containers: https://groups.google.com/forum/#!msg/docker-user/e9RkC4y-21E/JOZF8H-PfYsJ
Overlay networks: https://docs.docker.com/engine/userguide/networking/get-started-overlay/
User namespaces: https://docs.docker.com/engine/security/security/#/other-kernel-security-features

Business answered 12/10, 2016 at 4:21 Comment(0)

All containers share the same kernel. In case your un-trusted code manages to perform a kernel exploit, it can do whatever it wants on the host and/or any other running container.

Desiderative answered 16/12, 2015 at 9:34 Comment(0)

Recommended topics

Hot tags