Is it possible to escalate privileges and escaping from a Docker container?
I'm learning a lot about docker. I'm practicing creating docker clusters using docker-swarm, registry, shipyard, etc.
I saw how easy is to get root in a docker host machine once you entered to the host with a limited user which has docker privileges. I was wondering if could be possible instead of this, "escape" from a docker container service to the docker host machine (doesn't care if as root or not).
Can this be done?
Any proof of concept? I was googling and I haven't found anything conclusive.
A user on a Docker host who has access to the docker group or privileges to sudo docker commands is effectively root (as you can do things like use docker to run a privilieged container or mount the root filesystem inside a container), which is why it's very important to control that right.
Breaking out of a Docker container to the host is a different game and will be more or less difficult depending on a number of factors. Possible vectors include :-
- Kernel vulnerabilities. Containers running on a host share the same kernel as the host, so if there's an exploitable issue in the kernel that may be used to break out of the container to the host
- Bad configuration. If a container that you have access to is running with
--privilegedyou're likely to be able to get access to the underlying host.
- Mounted filesystems. If a container you have mounts a host filesystem, you can likely change items in that filesystem which could allow you to esclate privileges to the host.
- Mounted Docker socket. A relatively common (and dangerous) practice in Docker containers is to mount the docker socket inside a container, to allow the container to understand the state of the docker daemon. This allows a trivial breakout to the host. More information here
If you're looking for more information I'd recommend these whitepapers from NCC. Abusing Privileged and Unprivileged Linux Containers and Understanding and Hardening Linix Containers . There's also a presentation I did which covers some of this stuff here.
If you're interested in Docker hardening I'd also recommend having a look at the CIS Security standard.