How to use Docker from a Linux host system to escalate to root

=> Comment on Mastodon

Introduction

It's often said Docker is not very good with regard to security, let me illustrate a simple way to get root access to your Linux system through a docker container. This may be useful for people who would have docker available to their user, but whose company doesn't give them root access.

This is not a Docker vulnerability being exploited, just plain Docker by design. It is not a way to become root from within the container, you need to be able to run docker on the host system.

If you use this to break against your employer internal rules, this is your problem, not mine. I do write this to raise awareness about why Docker for systems users could be dangerous.

UPDATE: It is possible to run the Docker as a regular user since October 2021.

=> Run the docker daemon as a user

How to proceed

We will start a simple Alpine docker container, and map the system root file system / on the /mnt container directory.

docker run -v /:/mnt -ti alpine:latest

From there, you can use the command chroot /mnt to obtain a root shell of your system.

You are now free to use "passwd" to change root password, or visudo to edit sudo rules, or you could use the system package manager to install extra software you want.

Some analogy

If you don't understand why this works, here is a funny analogy. Think about being in a room as a human being, but you have a super power that allows you to imagine some environment in a box in front of you.

Now, that box (docker) has a specific feature: it permits you to take a piece of your current environment (the filesystem) to project it in the box itself. This can be useful if you want to imagine a beach environment and still have your desk in it.

Now, project your whole room (the host filesystem) into your box, and now, you are all mighty for what's happening in the box, which turn to be your own room (you are root, the super user).

Conclusion

Users who have access to docker can escalate to root in a few seconds and megabytes.

Proxy Information
Original URL
gemini://perso.pw/blog//articles/use-docker-to-become-root.gmi
Status Code
Success (20)
Meta
text/gemini
Capsule Response Time
140.33657 milliseconds
Gemini-to-HTML Time
0.568684 milliseconds

This content has been proxied by September (ba2dc).