Docker的安全性,因为它以root用户身份运行 [英] Security of Docker as it runs as root user
问题描述
Docker 博客帖子表示:
A Docker blog post indicates:
默认情况下,Docker容器相当安全;特别是如果你的
照顾你的进程在容器内运行
非特权的用户(即非root用户)。
Docker containers are, by default, quite secure; especially if you take care of running your processes inside the containers as non-privileged users (i.e. non root)."
那么,如果我在Docker下作为一个根目录运行,那么安全问题是什么呢?我的意思是说,如果我将进程视为非特权用户,那么它是非常安全的,那么我怎么能作为root用户对容器中的主机有害吗?我只是要求它了解它,如果在以root身份运行时不安全则可以被隔离?哪些系统调用可以暴露主机系统?
So, what is the security issue if I'm running as a root under the docker? I mean, it is quite secure if I take care of my processes as non-privileged users, so, how can I be harmful to host in a container as a root user? I'm just asking it to understand it, how can it be isolated if it is not secure when running as root? Which system calls can expose the host system then?
推荐答案
当您以root用户身份运行时,您可以访问更广泛的内核服务,例如:
When you run as root, you can access a broader range of kernel services. For instance, you can:
- 操纵网络接口,路由表,netfilter规则;
- 创建原始套接字(一般来说,异国情调套接字,锻炼代码比旧的TCP和UDP收到的检查少一些);
- mount / unmount / remount filesystems;
- 等。
更改文件所有权,权限,扩展属性,覆盖常规权限(即使用稍微不同的代码路径);
- manipulate network interfaces, routing tables, netfilter rules;
- create raw sockets (and generally speaking, "exotic" sockets, exercising code that has received less scrutiny than good old TCP and UDP);
- mount/unmount/remount filesystems;
- change file ownership, permissions, extended attributes, overriding regular permissions (i.e. using slightly different code paths);
- etc.
(有趣的是注意到所有这些示例受功能的保护。)
(It's interesting to note that all those examples are protected by capabilities.)
关键是以root身份运行更多的内核代码;如果该代码中存在漏洞,您可以以root身份触发,但不能作为常规用户。
The key point is that as root, you can exercise more kernel code; if there is a vulnerability in that code, you can trigger it as root, but not as a regular user.
此外,如果有人找到方法,容器,如果你以root身份突破,你可以比普通用户多得多的伤害。
Additionally, if someone finds a way to break out of a container, if you break out as root, you can do much more damage than as a regular user, obviously.
这篇关于Docker的安全性,因为它以root用户身份运行的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
