-- Leo's gemini proxy

-- Connecting to perso.pw:1965...

-- Connected

-- Sending request

-- Meta line: 20 text/gemini;

How to use Docker from a Linux host system to escalate to root


Author: Solène

Date: 19 July 2022

Tags: security linux docker


Comment on Mastodon


Introduction


It's often said Docker is not very good with regard to security, let me illustrate a simple way to get root access to your Linux system through a docker container. This may be useful for people who would have docker available to their user, but whose company doesn't give them root access.


This is not a Docker vulnerability being exploited, just plain Docker by design. It is not a way to become root from *within* the container, you need to be able to run docker on the host system.


If you use this to break against your employer internal rules, this is your problem, not mine. I do write this to raise awareness about why Docker for systems users could be dangerous.


UPDATE: It is possible to run the Docker as a regular user since October 2021.


Run the docker daemon as a user


How to proceed


We will start a simple Alpine docker container, and map the system root file system / on the /mnt container directory.


docker run -v /:/mnt -ti alpine:latest

From there, you can use the command `chroot /mnt` to obtain a root shell of your system.


You are now free to use "passwd" to change root password, or `visudo` to edit sudo rules, or you could use the system package manager to install extra software you want.


Some analogy


If you don't understand why this works, here is a funny analogy. Think about being in a room as a human being, but you have a super power that allows you to imagine some environment in a box in front of you.


Now, that box (docker) has a specific feature: it permits you to take a piece of your current environment (the filesystem) to project it in the box itself. This can be useful if you want to imagine a beach environment and still have your desk in it.


Now, project your whole room (the host filesystem) into your box, and now, you are all mighty for what's happening in the box, which turn to be your own room (you are root, the super user).


Conclusion


Users who have access to docker can escalate to root in a few seconds and megabytes.

-- Response ended

-- Page fetched on Mon May 6 04:26:33 2024