Docker has become an indispensable tool in modern Devops and development. It allows you to isolate the encirclement, simplify the outfit and quickly scale applications. However, by default, Docker requires a ROOT, and this creates a potentially dangerous zone, which is often ignored in the early stages.
Why does Docker work from Root?
Docker uses the capabilities of the Linux: Cgroups, Namespaces, Iptables, Mount, Networking and other system functions. These operations are available only to the super -user.
That’s why:
* Dockerd demon starts from Root,
* Docker commands are transmitted to this demon.
This simplifies the work and gives full control over the system, but at the same time it opens up potential vulnerabilities.
Why is it dangerous: Container Breakout, CVE, RCE
Container Breakout
With weak insulation, an attacker can use Chroot or Pivot_root to enter the host.
Examples of real attacks:
* CVE-2019-5736-vulnerability to RUNC, allowed to rewrite the application and execute the code on the host.
* CVE-2021-3156-vulnerability to SUDO, allowed to get a ROOT inside the container and get out.
RCE (Remote Code Execution)
If the application in the container is vulnerable and starts from Root, RCE = full control over the host.
Rootless Docker: Solution of the problem
To minimize these risks, Rootless mode appeared in Docker. In this mode, both the demon and the containers are launched on behalf of the usual user, without any Root-privilegies. This means that even if an attacker receives control over the container, he will not be able to harm the host system.
There are restrictions: you can not use ports below 1024 (for example, 80 and 443), the –privileged mode, as well as some network modes, is not available. However, in most development scenarios and CI/CD Rootless Docker, it copes with its task and significantly increases the level of security.
Historically, launch from Root – Antipattern
From the very beginning, the principle of the smallest privileges has been applied in the Unix/Linux world. The fewer rights the process, the less harm it can do. Docker initially demanded a Root access, but today it is considered a potential threat.
Sources
https://docs.docker.com/engine/security/rootless/
https://rootlesscontaine.rs/
