Docker-stacks: Clarification about the documentation

Created on 12 Apr 2018  路  4Comments  路  Source: jupyter/docker-stacks

The documentation on how to use the images states:

You should only enable sudo if you trust the user or if the container is running on an isolated host.

I would like to understand that better. To the best of my understanding, root cannot escape from a non-privileged container assuming there are no vulnerabilities in the docker daemon and the host OS.

On the other hand the warning seems to imply something more than merely saying that if the installation is vulnerable, giving the container user root exposes a larger surface of attack.

Is there any source of this, or is the warning really against a hypothetical CVE?

help wanted Documentation Question
Source
picture akhmerov

Most helpful comment

Hello,

PR #1031 merged and documentation updated. If everyone agree we can close this issue 馃槃

picture romainx on 5 Mar 2020
👍2

All 4 comments

As far as I know, Dan Walsh's observations in 2014 and beyond that "containers do not contain" (https://opensource.com/business/14/7/docker-security-selinux, https://opensource.com/business/14/9/security-for-docker, http://www.projectatomic.io/blog/2014/09/yet-another-reason-containers-don-t-contain-kernel-keyrings/) still hold true today. That said, I am not a container security expert, and so the comment in the README is possibly too conservative given changes in Docker and the container ecosystem in general over the past 4 years. It would be great to get someone with subject matter expertise to help out here.

parente picture parente on 23 Apr 2018

Maybe this quote from the Docker Security guide could be a good justification for the warning on the documentation.

The best way to prevent privilege-escalation attacks from within a container is to configure your container鈥檚 applications to run as unprivileged users. For containers whose processes must run as the root user within the container, you can re-map this user to a less-privileged user on the Docker host. The mapped user is assigned a range of UIDs which function within the namespace as normal UIDs from 0 to 65536, but have no privileges on the host machine itself.

I can manage to quote it in the documentation if it makes sense.

romainx picture romainx on 26 Feb 2020
👍2

I've just submitted the PR #1031. If everyone agree once merged, we could close this issue.

Best.

romainx picture romainx on 28 Feb 2020

Hello,

PR #1031 merged and documentation updated. If everyone agree we can close this issue 馃槃

romainx picture romainx on 5 Mar 2020
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

MridulS picture MridulS  路  4Comments
jbn picture jbn  路  3Comments
ainiml picture ainiml  路  3Comments
aar0nTw picture aar0nTw  路  4Comments
statiksof picture statiksof  路  4Comments