New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security: make Docker safe in multi-tenant situations. #6324

Open
cyphar opened this Issue Jun 10, 2014 · 11 comments

Comments

Projects
None yet
@cyphar
Contributor

cyphar commented Jun 10, 2014

This is a meta issue, used to group together issues which work towards the following goal.

Currently, Docker is completely unsafe in multitenant situations. Any user which can write to the docker.sock socket has full access to the host filesystem. This issue becomes even worse, considering the fact that several projects mount the Docker socket inside Docker containers -- where an exploited container could break out of the Docker sandbox without any real restrictions.

This issue will track other issues which work toward the above goal of securing the Docker daemon in multi-tenant situations.

Current issues

  • Filesystem safety.
    • References to container resources shouldn't escape the container's basefs.
      • #5619 (PR: #6000) (absolute symlinks and symlink path components copy host target).
      • #5656 (garbage paths could resolve to path in host).
  • Container users aren't namespace'd.
    • Container's root shouldn't be able to read/write/execute as the host's root.
      • #2918 (PR: #4572) (container root is identical to host root -- volumes can be written and read from as host root inside container).
  • Docker doesn't have any ACL. Writing to docker.sock == root.
    • Implement access control #15365
  • Docker runs as root, which means that any bugs in Docker can cause much more damage than necessary. https://rootlesscontaine.rs/ is something I've been working on.

There are almost certainly more issues that I haven't thought of. Please add them if you know of any. This issue can only be closed when the Docker daemon is far more secure in multi-tenant situations.

@termie

This comment has been minimized.

Show comment
Hide comment
@termie

termie Mar 10, 2015

Contributor

-subscribe-

Contributor

termie commented Mar 10, 2015

-subscribe-

@rgbkrk

This comment has been minimized.

Show comment
Hide comment
@rgbkrk

rgbkrk Mar 10, 2015

How safe is using a non-root user in the container? Same as a non-root user on the host?

rgbkrk commented Mar 10, 2015

How safe is using a non-root user in the container? Same as a non-root user on the host?

@tphyahoo

This comment has been minimized.

Show comment
Hide comment
@tphyahoo

tphyahoo Mar 17, 2015

Could this have label project/security added?

tphyahoo commented Mar 17, 2015

Could this have label project/security added?

@tphyahoo

This comment has been minimized.

Show comment
Hide comment
@tphyahoo

tphyahoo Mar 17, 2015

Since I can't add labels myself, I commented on the issues that seemed to me most critical to improving security. These are probably all relevant to the current meta issue:

https://github.com/docker/docker/issues?q=commenter%3Atphyahoo+security

Perhaps an admin can follow up with proper labels for follow-up.

tphyahoo commented Mar 17, 2015

Since I can't add labels myself, I commented on the issues that seemed to me most critical to improving security. These are probably all relevant to the current meta issue:

https://github.com/docker/docker/issues?q=commenter%3Atphyahoo+security

Perhaps an admin can follow up with proper labels for follow-up.

@bettiolo

This comment has been minimized.

Show comment
Hide comment
@bettiolo

bettiolo Aug 10, 2015

@mseri can you look into fixing this?

bettiolo commented Aug 10, 2015

@mseri can you look into fixing this?

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Aug 15, 2015

Member

This PR (and related issues) may be of interest for those following this: #15365

Member

thaJeztah commented Aug 15, 2015

This PR (and related issues) may be of interest for those following this: #15365

@alexanderkjeldaas

This comment has been minimized.

Show comment
Hide comment
@alexanderkjeldaas

alexanderkjeldaas Nov 29, 2015

Some of the info here seems not to be up to date. See for example https://github.com/docker/docker/blob/master/experimental/userns.md

alexanderkjeldaas commented Nov 29, 2015

Some of the info here seems not to be up to date. See for example https://github.com/docker/docker/blob/master/experimental/userns.md

@adamkdean

This comment has been minimized.

Show comment
Hide comment
@adamkdean

adamkdean Nov 9, 2017

What is the latest on the ACL front?

adamkdean commented Nov 9, 2017

What is the latest on the ACL front?

@thaJeztah

This comment has been minimized.

Show comment
Hide comment
@thaJeztah

thaJeztah Nov 9, 2017

Member

ACL can be added through Authorization plugins; https://docs.docker.com/engine/extend/plugins_authorization/

Member

thaJeztah commented Nov 9, 2017

ACL can be added through Authorization plugins; https://docs.docker.com/engine/extend/plugins_authorization/

@edward-of-clt

This comment has been minimized.

Show comment
Hide comment
@edward-of-clt

edward-of-clt commented Feb 8, 2018

-subscribe-

@vdemeester

This comment has been minimized.

Show comment
Hide comment
@vdemeester
Member

vdemeester commented Feb 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment