What are the potential security issues caused by untrusted code in a Docker container as a non-root user?

Question

What are the potential security issues caused by untrusted code in a Docker container as a non-root user?

I have seen a lot of ink spilled so far about how Docker is not sufficiently isolated to allow arbitrary containers to run in a multi-tenant environment, and that makes sense. "If it is root in Docker, consider it as root on the host machine." How about non-root though?

If I want to take untrusted code and run it in a container, can it be done safely as long as the container is started as a non-root user? What are the potential security issues associated with this?

I am sure that today there are production applications (CI-systems, runnable pastebins), but they were just lucky that they did not have a specific intruder or is this a reasonable thing in the production system?

+7

security docker multi-tenant

Michael Bleigh Aug 27 '15 at 19:21

source share

2 answers

All containers use the same core. In the event that your untrusted code can execute a kernel exploit, it can do whatever it wants on the host and / or in any other running container.

0

rpeleg Dec 16 '15 at 9:34

source share

Pj · Accepted Answer · 2016-10-12T04:21:13+0000

As in Docker v1.12, if you run the container as a non-root user with username spaces enabled, there are two levels of privilege escalation that a malicious actor must fulfill in order to become root on the host:

Escalation from a user without a root to a root user inside a container
Escalation for the root user in the container for the root user on the host

Thus, if untrusted code runs inside the Docker container as a non-root user, it will be a little more difficult for an attacker to become root on the host, since we will add an additional step to become root inside the container. This is the only security benefit compared to running containers with root privileges.

In the case of privilege escalation through both security levels, the following should help limit the attack surface:

Workloads (in particular, docker containers in this context) with different levels of trust should be isolated from each other using overlay networks on the principle of least privilege.
Enabling an available Linux security module in enforcement mode (e.g. SELinux, AppArmor)

References:

Work with non-root privileges inside containers: https://groups.google.com/forum/#!msg/docker-user/e9RkC4y-21E/JOZF8H-PfYsJ
Networking: https://docs.docker.com/engine/userguide/networking/get-started-overlay/
Username Spaces: https://docs.docker.com/engine/security/security/#/other-kernel-security-features

What are the potential security issues caused by untrusted code in a Docker container as a non-root user?

More articles: