Introduction
Introduction Statistics Contact Development Disclaimer Help
Title: How to use Docker from a Linux host system to escalate to root
Author: Solène
Date: 19 July 2022
Tags: security linux docker
Description: This article explains how to escalate to root in a few
seconds given your system user can run docker.
# Introduction
It's often said Docker is not very good with regard to security, let me
illustrate a simple way to get root access to your Linux system through
a docker container. This may be useful for people who would have
docker available to their user, but whose company doesn't give them
root access.
This is not a Docker vulnerability being exploited, just plain Docker
by design. It is not a way to become root from *within* the container,
you need to be able to run docker on the host system.
If you use this to break against your employer internal rules, this is
your problem, not mine. I do write this to raise awareness about why
Docker for systems users could be dangerous.
UPDATE: It is possible to run the Docker as a regular user since
October 2021.
Run the docker daemon as a user
# How to proceed
We will start a simple Alpine docker container, and map the system root
file system / on the /mnt container directory.
```shell
docker run -v /:/mnt -ti alpine:latest
```
From there, you can use the command `chroot /mnt` to obtain a root
shell of your system.
You are now free to use "passwd" to change root password, or `visudo`
to edit sudo rules, or you could use the system package manager to
install extra software you want.
# Some analogy
If you don't understand why this works, here is a funny analogy. Think
about being in a room as a human being, but you have a super power that
allows you to imagine some environment in a box in front of you.
Now, that box (docker) has a specific feature: it permits you to take a
piece of your current environment (the filesystem) to project it in the
box itself. This can be useful if you want to imagine a beach
environment and still have your desk in it.
Now, project your whole room (the host filesystem) into your box, and
now, you are all mighty for what's happening in the box, which turn to
be your own room (you are root, the super user).
# Conclusion
Users who have access to docker can escalate to root in a few seconds
and megabytes.
You are viewing proxied material from dataswamp.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.