Docker root access to host system

Question

When I run a container as a normal user I can map and modify directories owned by root on my host filesystem. This seems to be a big security hole. For example

Answer 1

There are many Docker security features available to help with Docker security issues. The specific one that will help you is User Namespaces.

Basically you need to enable User Namespaces on the host machine with the Docker daemon stopped beforehand:

dockerd --userns-remap=default &

Note this will forbid the container from running in privileged mode (a good thing from a security standpoint) and restart the Docker daemon (it should be stopped before performing this command). When you enter the Docker container, you can restrict it to the current non-privileged user:

docker run -it --rm -v /bin:/tmp/a --user UID:GID debian

Regardless, try to enter the Docker container afterwards with your default command of

docker run -it --rm -v /bin:/tmp/a debian

If you attempt to manipulate the host filesystem that was mapped into a Docker volume (in this case /bin) where files and directories are owned by root, then you will receive a Permission denied error. This proves that User Namespaces provide the security functionality you are looking for.

I recommend going through the Docker lab on this security feature at https://github.com/docker/labs/tree/master/security/userns. I have done all of the labs and opened Issues and PRs there to ensure the integrity of the labs there and can vouch for them.