Securing Docker From Privilege Escalation

Secure your Docker Containers from Privilege Escalation, if compromised

Posted by Utkarsh Agrawal on January 30, 2021 · 4 mins read
Preventing docker privilege escalation by using User NameSpaces

Hello all

Welcome to the new post, in this post we will see how we can secure docker from Privilege Escalation attacks.

For this I have created a scenerio where I have two user: utk & utk2. utk is a privileged user, and utk2 is a non privileged user.

Also, there is a file only some users can access it but not utk2, that also means utk can access the file, the filename is 'canyoureadme.txt'.

Below is the screenshot you can see.

But utk2 user can't read the file.

So our target is, we must run the container as utk2 so that, so that if container gets comprmised, he can't read canyoureadme.txt file.

We will run the docker container as normal first, and then we will start the container with user namespaces. By doing that, will make lot of confusions clear.

So we run the container, with volume that contain our targeted file, mounted on the container, and we check if we can read the file.

And yes we can read without namespaces.

Now we will run the containers with the user namespaces. But before going, we must understand what exactly is user namespaces.

User Namespaces isolates containers according to the user's permissions. So if you have a restricted user, then you can run the containers as the restricted user. The note point is: The container will run as root, but on host it will run as the restricted user. So now if your container compromises, you don't need to worry about the privilege escalation attacks, even though the attacker successfully escapes from the compromised container, the attacker will have less privileges inside Host. Lets just understand this as an practical example.

To create a username space follow this command:-

dockerd --userns-remap="youruser:youruser"

To use this command, first the docker service must be stopped, to do that, you can use service docker stop

youruser is the restricted user in this case utk2:utk2, the user must be reside inside these two files. /etc/subuid & /etc/subgid

Something like this:-

Now you have started the docker service with user namespace, we will execute the docker container.

As you can see, when we tried to read the targeted file we are getting permission denied error, even though we are root inside the container but still can't read.

Note: So this confirms that we successfully run the docker container as the permissions on utk2. Make sense? Because utk2 can not read the file, right, and we run the docker container as utk2, now this means the container is running as utk2 permission.

Next, we will run the container with --privileged flag, and we will see if user namespace will work as what we think.

But Docker said: If we wanted to use docker user namespaces, all containers started with default user namespaces by default, if you wanted to run a container as --privileged, you will need to disable user namespaces by giving --userns=host flag to docker container create, docker container run, or docker container exec

So --privilged flag will not work here. That means, you should never run docker with --privilged flag, while you can, but the security must be tight.


Thanks for reading this, Feedbacks are always welcome. Contact Twitter