Title: How to use Docker from a Linux host system to escalate to root | |
Author: Solène | |
Date: 19 July 2022 | |
Tags: security linux docker | |
Description: This article explains how to escalate to root in a few | |
seconds given your system user can run docker. | |
# Introduction | |
It's often said Docker is not very good with regard to security, let me | |
illustrate a simple way to get root access to your Linux system through | |
a docker container. This may be useful for people who would have | |
docker available to their user, but whose company doesn't give them | |
root access. | |
This is not a Docker vulnerability being exploited, just plain Docker | |
by design. It is not a way to become root from *within* the container, | |
you need to be able to run docker on the host system. | |
If you use this to break against your employer internal rules, this is | |
your problem, not mine. I do write this to raise awareness about why | |
Docker for systems users could be dangerous. | |
UPDATE: It is possible to run the Docker as a regular user since | |
October 2021. | |
Run the docker daemon as a user | |
# How to proceed | |
We will start a simple Alpine docker container, and map the system root | |
file system / on the /mnt container directory. | |
```shell | |
docker run -v /:/mnt -ti alpine:latest | |
``` | |
From there, you can use the command `chroot /mnt` to obtain a root | |
shell of your system. | |
You are now free to use "passwd" to change root password, or `visudo` | |
to edit sudo rules, or you could use the system package manager to | |
install extra software you want. | |
# Some analogy | |
If you don't understand why this works, here is a funny analogy. Think | |
about being in a room as a human being, but you have a super power that | |
allows you to imagine some environment in a box in front of you. | |
Now, that box (docker) has a specific feature: it permits you to take a | |
piece of your current environment (the filesystem) to project it in the | |
box itself. This can be useful if you want to imagine a beach | |
environment and still have your desk in it. | |
Now, project your whole room (the host filesystem) into your box, and | |
now, you are all mighty for what's happening in the box, which turn to | |
be your own room (you are root, the super user). | |
# Conclusion | |
Users who have access to docker can escalate to root in a few seconds | |
and megabytes. |