Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Being a member of the docker group is the same as giving a user full root access to the system #131

Closed
timthelion opened this issue Mar 5, 2014 · 13 comments
Closed

Being a member of the docker group is the same as giving a user full root access to the system #131

timthelion opened this issue Mar 5, 2014 · 13 comments
Labels
Future security
Milestone
1.0

Comments

@timthelion
Copy link
Contributor

Since they can mount volumes to docker and run processes in docker as UID=0(root)....
@timthelion timthelion added this to the 1.0 milestone Mar 5, 2014
@timthelion
Copy link
Contributor Author

The proper fix for this issue is to create an "ambasador deamon" wich communicates with docker indirectly.

@timthelion
Copy link
Contributor Author

This is waiting on user mappings:

>
> Recent improvements in Linux namespaces will soon allow to run 
> full-featured containers without root privileges, thanks to the new user
> namespace. This is covered in detail here. Moreover, this will solve the 
> problem caused by sharing filesystems between host and guest, since the 
> user namespace allows users within containers (including the root user) to > be mapped to other users in the host system.

se here ...

@timthelion
Copy link
Contributor Author

This issue should be resolved within the realm of the docker project probably through a pull request.

@timthelion
Copy link
Contributor Author

moby/moby#2918

@timthelion
Copy link
Contributor Author

moby/moby#3124

@timthelion
Copy link
Contributor Author

moby/moby#1034

@timthelion
Copy link
Contributor Author

moby/moby#3143

@timthelion
Copy link
Contributor Author

moby/moby#1121

@timthelion
Copy link
Contributor Author

moby/moby#2919

@timthelion
Copy link
Contributor Author

moby/moby#3206

@timthelion
Copy link
Contributor Author

moby/moby#1655

@timthelion timthelion mentioned this issue Mar 5, 2014
Closed
@mithro mithro mentioned this issue Aug 3, 2014
Open
@brentp brentp mentioned this issue Mar 17, 2015
Open
4 tasks
timthelion added a commit that referenced this issue Oct 5, 2015
@timthelion
Allow running subuser as root user
51539c8 
This allows you to not have your normal user be a member of the docker group #131 #223 . This is extremrely messy, non-documented, non-tested code.

In order to use, create a `/root/.subuser` directory and put a `/root/.subuser/config.json` file inside:

{
 "user":"timothy"
,"subuser-home-dirs-dir":"/home/timothy/subuser-homes"
}

Replace `timothy` with your username.

This will alow you to run subuser as root, but have your subuser's run as the user timothy.
@timthelion timthelion mentioned this issue Jan 16, 2017
Merged
@Queuecumber
Copy link

Is there still any plan to do this? I know of at least one lab who's IT department has refused to allow docker to be used on their cluster because it would allow non-privileged users to have root access.

@timthelion
Copy link
Contributor Author

timthelion commented Jun 28, 2017 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Future security
Projects
None yet
Milestone
1.0
Development

No branches or pull requests
2 participants
@timthelion @Queuecumber