-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Improvement] Prevent docker's root to modify host stuff #201
Comments
Hello @dlesaffre If you're using I'm interested in having a solution for this, but as of now it is not possible to have the same prompt between outside and inside the container, as it is not possible to simply copy the user password from host to guest. Also for now seems like Docker cannot do user namespace remapping without renouncing also to host network, pid and ipc so we cannot do an unprivileged one like on podman EDIT: |
@dlesaffre I've implemented a fix for this de-privileging the docker container, can you check if it respects what you expect? (that it cannot do stuff on the host that is) EDIT: to be clear, this fix involves |
The code change in #202 still allows to change iptables rules on the host, without asking for a sudo password. |
Yea I tested it does not, it's probably not possible with docker to limit this stuff without losing integration with the host (network and such) |
In future I also plan to support rootful podman so probably this disclaimer has to be made anyway, a root inside a rootful container, is root also on the main system Regarding adding a sudo password, the problem here is not that it's not possible (it could just be a question during create, defaulting to passwordless to not break backward compatibilty) but the problem is passing the argument to the entrypoint, either via ENV or via flag, it would be easily read when doing a |
include badge for latest available releases on various distros thanks to all the package maintainers! Include a warning for rootful docker usage as discussed on #201
As stated above I've added a warning to the main page about this behavior on docker. Closing this and will open a new one for rootless docker and (if we manage) rootless containerd in general |
Describe the bug
This combination makes it possible to alter the iptables rules without the need to provide a password. And probably a lot of other security sensitive settings.
To Reproduce
Steps to reproduce the behavior
Run your container, change the iptables rules:
There is no prompt for a password.
The iptables on the host system are affected.
On the host, my user is required to provide a password when using sudo.
Expected behavior
A clear and concise description of what you expected to happen.
I expected to be prompted for a password when using the sudo command, as configured on the host.
Desktop (please complete the following information):
Additional context
container:
The text was updated successfully, but these errors were encountered: