Skip to content

Instantly share code, notes, and snippets.

@davidino

davidino/description.md

Last active February 25, 2016 08:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davidino/220b880dbbe5f36bfe67 to your computer and use it in GitHub Desktop.
Save davidino/220b880dbbe5f36bfe67 to your computer and use it in GitHub Desktop.
Download ZIP
docker-security-1.10
Raw
description.md

Docker security improvement - Username Space

As you already know Docker released the 1.10 version with a huge list of features. The list contains also a list of security improvment: one of that is the improving the user namespace

This is what it was happening before the version 1.10. We are just runnging an alpine container mounting an external volume /var/log/. :: include no-usernamespece.rd As you can see the ownership of the files in the container it is exactly the one outside the container ( because we are mounting the volume ). That means that the actual logget user in the container (root) can have access to these files and for example mess the up.

If we run the same exact code in the Docker 1.10 version adding the option --userns-remap=default to the deamon, this is the result: :: include usermap.rd

The owner in now nobody and even if the actual logger user is root it have no access to that files.

SideNotes: https://medium.com/on-docker/what-s-montague-docker-user-problems-and-patterns-79750c504aa1#.r2l9i55z3

Raw
no-usernamespece.rd
➜ ~ ps -ef | grep -i daemon
root 21636 1 2 15:04 ? 00:00:00 /usr/bin/docker daemon -H fd://
➜ ~ docker run -it --rm -v /var/log:/var/log --name=demo alpine ls -latr /var/log/
total 35236
drwxr-xr-x 2 root root 4096 Oct 5 15:57 apt
drwxr-xr-x 2 root root 4096 Oct 20 16:18 dist-upgrade
-rw-r----- 1 root adm 31 Oct 21 17:28 dmesg
-rw-r--r-- 1 root root 72557 Oct 21 17:29 bootstrap.log
drwxr-xr-x 2 root root 4096 Nov 5 08:19 fsck
drwxr-xr-x 3 root root 4096 Nov 5 08:49 installer
-rw-r----- 1 root adm 6378 Dec 15 12:18 apport.log.1
drwxr-x--- 2 root adm 4096 Dec 17 06:04 unattended-upgrades
-rw-r----- 1 104 adm 1351288 Dec 19 05:56 syslog.2.gz
-rw-r----- 1 104 adm 402127 Dec 25 06:17 auth.log.1
-rw-r----- 1 104 adm 8667895 Dec 25 06:17 kern.log.1
-rw-r----- 1 104 adm 932806 Dec 25 06:21 syslog.1
Raw
usermap.rd
➜ ~ ps -ef | grep -i daemon
root 21636 1 2 15:04 ? 00:00:00 /usr/bin/docker daemon -H fd:// --userns-remap=default
➜ ~ docker run -it --rm -v /var/log:/var/log --name=demo alpine ls -latr /var/log/
total 35260
drwxr-xr-x 2 nobody nobody 4096 Oct 5 15:57 apt
drwxr-xr-x 2 nobody nobody 4096 Oct 20 16:18 dist-upgrade
-rw-r----- 1 nobody nobody 31 Oct 21 17:28 dmesg
-rw-r--r-- 1 nobody nobody 72557 Oct 21 17:29 bootstrap.log
drwxr-xr-x 2 nobody nobody 4096 Nov 5 08:19 fsck
drwxr-xr-x 3 nobody nobody 4096 Nov 5 08:49 installer
-rw-r----- 1 nobody nobody 6378 Dec 15 12:18 apport.log.1
drwxr-x--- 2 nobody nobody 4096 Dec 17 06:04 unattended-upgrades
-rw-r----- 1 nobody nobody 1351288 Dec 19 05:56 syslog.2.gz
-rw-r----- 1 nobody nobody 402127 Dec 25 06:17 auth.log.1
-rw-r----- 1 nobody nobody 8667895 Dec 25 06:17 kern.log.1
-rw-r----- 1 nobody nobody 932806 Dec 25 06:21 syslog.1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment