docker-no-trivial-root

command module

v0.1.0 Latest Latest Go to latest Published: May 24, 2018 License: GPL-3.0 Imports: 7 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/ad-freiburg/docker-no-trivial-root

Links

Open Source Insights

README ¶

No Trivial Root for Docker

WARNING THIS IS VERY EXPERIMENTAL WITH NO CLAIM OF ACTUAL SECURITY

This is a very minimal docker authorization plugin designed to prevent trivial root escalation on docker already running with user namespaces.

To be absolutely clear without user namespaces this plugin is useless

One example of such a trivial way of gaining root would be

docker run --userns=host --rm -it -v /:/root/ busybox

Build/Download

Make sure you have a Go environment set up then do

go get github.com/ad-freiburg/docker-no-trivial-root

Alternatively you can download binary releases here

Setup

Again make sure you have user namespaces enabled

Create a startup unit for your init system of choice and make sure docker-no-trivial-root is launched as root on startup

For systemd (most distributions) this can be done with the following steps

# For a build from source
sudo cp $GOPATH/bin/docker-no-trivial-root /usr/sbin
sudo cp $GOPATH/src/github.com/ad-freiburg/docker-no-trivial-root/systemd/docker-no-trivial-root.service /lib/systemd/system/

# Or for a binary release
cd /tmp # necessary if your $HOME is not readable with sudo (because of NFS)
wget https://github.com/ad-freiburg/docker-no-trivial-root/releases/download/v0.1.0/docker-no-trivial-root_$(uname -m).tar.bz2
tar -xavf docker-no-trivial-root_$(uname -m).tar.bz2
cd docker-no-trivial-root_$(uname -m)/
sudo cp docker-no-trivial-root /usr/sbin/docker-no-trivial-root
sudo cp systemd/docker-no-trivial-root.service /lib/systemd/system/

sudo systemctl enable docker-no-trivial-root.service
sudo systemctl start docker-no-trivial-root.service

Enable the plugin by adding --authorization-plugin=no-trivial-root to your dockerd command line. On Ubuntu this is an ExecStart in /lib/systemd/system/docker.service

sudo systemctl edit --full docker.service
sudo systemctl daemon-reload
sudo systemctl restart docker.service

Test It

The following command should give an error message saying that --userns=host is not allowed

docker run --userns=host --rm -it -v /:/root/ busybox

also you should get permission denied running touch /root/foo inside the container created by the following command

docker run --rm -it -v /:/root/ busybox

What's Prevented

This authorization plugin currently prevents the following docker run parameters

--userns=host
--uts=host
--pid=host
--net=host
--log-driver
--log-opt
--cap-add
--device
--security-opt
--privileged

Configuration

At this time there is absolutely no configuration, if you want to block anything more than it currently does you must change the code.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL