As you already know Docker released the 1.10 version with a huge list of features.
The list contains also a list of security improvment: one of that is the improving the user namespace
This is what it was happening before the version 1.10.
We are just runnging an alpine container mounting an external volume /var/log/
.
:: include no-usernamespece.rd
As you can see the ownership of the files in the container it is exactly the one outside the container ( because we are mounting the volume ).
That means that the actual logget user in the container (root
) can have access to these files and for example mess the up.
If we run the same exact code in the Docker 1.10 version adding the option --userns-remap=default
to the deamon, this is the result:
:: include usermap.rd
The owner in now nobody
and even if the actual logger user is root
it have no access to that files.