作为非root用户，在Docker容器中运行不受信任代码的潜在安全问题是什么？ [英] What are the potential security problems running untrusted code in a Docker container as a non-root user?

问题描述

现在，我看到大量的墨水溢出了Docker没有足够的隔离，允许任意容器在多租户环境中运行，这是有道理的。 如果它是在Docker的根，请考虑它在主机中。如果我想要采取一些不受信任的代码并将其运行在一个容器中，那么只要容器正在运行，它就可以安全地完成非root非sudo用户？我们相当确定今天有生产应用程序（CI系统，可运行的粘贴块），但是他们是否可以使用幸运的是没有一个确定的攻击者，或者这是一个在生产系统中做的合理的事情？

解决方案

v1.12，如果以运行用户命名空间的非root用户身份运行容器，则恶意角色需要执行两级级别的权限升级才能在主机上成为root：

1. 从容器内的非root用户升级到root用户


2. 将容器中的root用户向上升级到主机上的root用户

所以如果不可信代码作为非root用户在Docker容器内运行，那么攻击者在主机上成为root就会稍微困难一些因为我们增加了在容器内成为root的额外步骤。与使用root权限运行容器相比，这在安全方面是唯一的优势。

如果通过两层安全性进行特权升级，以下应该有助于限制攻击面：

1. 具有不同信任级别的工作负载（更具体而言，在本上下文中为Docker容器）应该按照最低权限原则使用覆盖网络彼此隔离。


2. 启用可用执行模式下的Linux安全模块（例如SELinux，AppArmor）

参考文献：

• 在容器内运行非root权限： https://groups.google.com/forum/#!msg/docker-user/e9RkC4y-21E/JOZF8H-PfYsJ


• 覆盖网络： https://docs.docker.com/engine/userguide/网络/ get-started-overlay /


• 用户名空间： https://docs.docker.com/engine/security/security /＃/ other-kernel-security-features

I've seen plenty of ink spilled by now about how Docker is not sufficiently isolated to allow arbitrary containers to be run in a multi-tenant environment, and that makes sense. "If it's root in Docker, consider it root in the host machine." What about non-root though?

If I want to take some untrusted code and run it in a container, can it be done safely so long as the container is running as a non-root non-sudo user? What are the potential security pitfalls of doing something like that?

I'm fairly sure there are production applications doing this today (CI systems, runnable pastebins), but are they just lucky not to have had a determined attacker or is this a reasonable thing to do in a production system?

解决方案

As of Docker v1.12, if one runs a container as a non-root user with user namespaces enabled, there are two levels of privilege escalation a malicious actor needs to perform in order to become root on host:

1. Escalate from non-root to root user inside container
2. Escalate to root user in container to root user on the host

So in case untrusted code is run inside a Docker container as non-root user, it will be slightly more difficult for an attacker to become root on host, since we add an extra step of becoming root inside container. That's the only advantage in terms of security compared to running containers with root privileges.

In case of privilege escalation through both layers of security, following should help restrict the attack surface:

1. Workloads(more specifically docker containers, in this context) with different trust levels should be isolated from each other by use of overlay networks following least privilege principle.
2. Enabling available Linux security module in enforcement mode(e.g. SELinux, AppArmor)

References:

• Running with non-root privileges inside containers: https://groups.google.com/forum/#!msg/docker-user/e9RkC4y-21E/JOZF8H-PfYsJ
• Overlay networks: https://docs.docker.com/engine/userguide/networking/get-started-overlay/
• User namespaces: https://docs.docker.com/engine/security/security/#/other-kernel-security-features

这篇关于作为非root用户，在Docker容器中运行不受信任代码的潜在安全问题是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！