9

I've seen plenty of ink spilled by now about how Docker is not sufficiently isolated to allow arbitrary containers to be run in a multi-tenant environment, and that makes sense. "If it's root in Docker, consider it root in the host machine." What about non-root though?

If I want to take some untrusted code and run it in a container, can it be done safely so long as the container is running as a non-root non-sudo user? What are the potential security pitfalls of doing something like that?

I'm fairly sure there are production applications doing this today (CI systems, runnable pastebins), but are they just lucky not to have had a determined attacker or is this a reasonable thing to do in a production system?

Michael Bleigh
  • 191
  • 2
  • I'm talking about *inside the container* either having the Dockerfile run the process as a non-root user with USER or running a script before untrusted code is executed that changes to a non-root user. – Michael Bleigh Aug 28 '15 at 20:54

2 Answers2

3

Docker and LXC technology itself is still in very early stages when it comes to exploitation testing. drewbenn is right in highlighting the difficulties of running Docker containers as a non root user - there are inherently some very low level things that need to happen in order to start up an LXC container.

Something interesting to consider though is the intended target any malware that you're trying to isolate in the container.

Say the malware was trying to exploit a flaw in a piece of local software to do privilege escalation. It might achieve that inside the container, but then it would also have to have been written specifically to attempt to break out of docker containers to do something malicious.

So the question is - will the people who are writing this untrusted code know that you're going to be running it inside a container? If they do (or if they suspect you will) there's a much higher likelyhood of a vulnerability turning up that exploits a dockerised environment directly.

Nic Barker
  • 1,170
  • 7
  • 11
  • 1
    `will the people who are writing this untrusted code know that you're going to be running it inside a container?` That's security by obscurity - you shouldn't rely on that. – mgarciaisaia Dec 30 '16 at 02:29
0

An application running in a standard Docker container as a non-root user is essentially just a non-privileged process running on the host, with additional restrictions applied to it.

Firstly, the application will reside within its own set of namespaces (e.g. mount, net) restricting it's view of the host's resources.

Then assuming a standard Docker configuration, on debian derivatives, there will be an AppArmor profile applied to the application, restricting some access.

Additionally (assuming it's not running under Kubernetes), a seccomp profile will be applied to the application process restricting its access to specific syscalls.

In terms of breakout opportunities, assuming that the container is non-root and was not run with the --privileged flag or mounting files from the underlying host, the attacker's on-host breakout opportunities primarily relate to attacking the underlying Linux kernel. If there are unpatched privesc issues in the running kernel the attacker may be able to exploit these, although it's possible the syscall filter or AppArmor profile would block them.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217