Docker对主机系统的根访问 [英] Docker root access to host system
问题描述
当我以普通用户身份运行容器时,可以在主机文件系统上映射并修改由root拥有的目录。这似乎是一个很大的安全漏洞。例如,我可以执行以下操作:
When I run a container as a normal user I can map and modify directories owned by root on my host filesystem. This seems to be a big security hole. For example I can do the following:
$ docker run -it --rm -v /bin:/tmp/a debian
root@14da9657acc7:/# cd /tmp/a
root@f2547c755c14:/tmp/a# mv df df.orig
root@f2547c755c14:/tmp/a# cp ls df
root@f2547c755c14:/tmp/a# exit
现在我的 host 文件系统键入 df 时,将执行 ls 命令(大多数情况下无害)。我不敢相信这是理想的行为,但是它正在我的系统中发生(debian延伸)。 docker 命令具有普通权限(755,不是setuid)。
Now my host filesystem will execute the ls command when df is typed (mostly harmless example). I cannot believe that this is the desired behavior, but it is happening in my system (debian stretch). The docker command has normal permissions (755, not setuid).
我缺少什么?
也许可以多澄清一点。目前,我对容器本身的作用或可以执行的操作不感兴趣,也不关心容器内部的根访问。
Maybe it is good to clarify a bit more. I am not at the moment interested in what the container itself does or can do, nor am I concerned with the root access inside the container.
我注意到,我的可以运行docker容器的系统可以使用它来获得对我的 host 系统的根访问权限,并以根用户身份对其进行任意读写:有效地为所有用户提供根访问权限。那显然不是我想要的。如何防止这种情况?
Rather I notice that anyone on my system that can run a docker container can use it to gain root access to my host system and read/write as root whatever they want: effectively giving all users root access. That is obviously not what I want. How to prevent this?
推荐答案
有许多Docker安全功能可用于解决Docker安全问题。
There are many Docker security features available to help with Docker security issues. The specific one that will help you is User Namespaces.
基本上,您需要在预先停止Docker守护程序的情况下在主机上启用用户命名空间:
Basically you need to enable User Namespaces on the host machine with the Docker daemon stopped beforehand:
dockerd --userns-remap=default &
请注意,这将禁止容器在特权模式下运行(从安全角度来看这是一件好事),并且重新启动Docker守护程序(在执行此命令之前应将其停止)。当您输入Docker容器时,可以将其限制为当前非特权用户:
Note this will forbid the container from running in privileged mode (a good thing from a security standpoint) and restart the Docker daemon (it should be stopped before performing this command). When you enter the Docker container, you can restrict it to the current non-privileged user:
docker run -it --rm -v /bin:/tmp/a --user UID:GID debian
无论如何,尝试输入之后使用默认命令
Regardless, try to enter the Docker container afterwards with your default command of
docker run -it --rm -v /bin:/tmp/a debian
如果您尝试操纵映射到Docker卷的主机文件系统(在这种情况下 / bin ),其中文件和目录归root拥有,那么您将收到权限被拒绝错误。这证明用户命名空间提供了您正在寻找的安全功能。
If you attempt to manipulate the host filesystem that was mapped into a Docker volume (in this case /bin) where files and directories are owned by root, then you will receive a Permission denied error. This proves that User Namespaces provide the security functionality you are looking for.
我建议通过Docker实验室的 https://github.com/docker/labs/tree/master/security/userns 。我已经完成了所有实验室的工作,并在那里打开了Issues和PR,以确保那里的实验室的完整性并可以为其提供担保。
I recommend going through the Docker lab on this security feature at https://github.com/docker/labs/tree/master/security/userns. I have done all of the labs and opened Issues and PRs there to ensure the integrity of the labs there and can vouch for them.
这篇关于Docker对主机系统的根访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
