简体繁体 English

以非 root 用户身份在 Docker 容器中运行不受信任的代码有哪些潜在的安全问题？

[英]What are the potential security problems running untrusted code in a Docker container as a non-root user?

原文 2015-08-27 19:21:38 2 2 security/ docker/ multi-tenant

I've seen plenty of ink spilled by now about how Docker is not sufficiently isolated to allow arbitrary containers to be run in a multi-tenant environment, and that makes sense.到目前为止，我已经看到大量关于 Docker 没有充分隔离以允许在多租户环境中运行任意容器的墨水，这是有道理的。 "If it's root in Docker, consider it root in the host machine." “如果它是 Docker 中的 root，则认为它是主机中的 root。” What about non-root though?非root怎么办？

If I want to take some untrusted code and run it in a container, can it be done safely so long as the container is running as a non-root non-sudo user?如果我想获取一些不受信任的代码并在容器中运行它，只要容器以非 root 非 sudo 用户身份运行，就可以安全地完成吗？ What are the potential security pitfalls of doing something like that?做这样的事情有哪些潜在的安全隐患？

I'm fairly sure there are production applications doing this today (CI systems, runnable pastebins), but are they just lucky not to have had a determined attacker or is this a reasonable thing to do in a production system?我相当确定今天有生产应用程序在做这件事（CI 系统、可运行的 pastebins），但他们只是幸运没有遇到坚定的攻击者，或者在生产系统中这样做是否合理？

2 个解决方案

As of Docker v1.12, if one runs a container as a non-root user with user namespaces enabled, there are two levels of privilege escalation a malicious actor needs to perform in order to become root on host:从 Docker v1.12 开始，如果以启用用户命名空间的非 root 用户身份运行容器，恶意行为者需要执行两个级别的权限提升才能成为主机上的 root：

Escalate from non-root to root user inside container在容器内从非 root 用户升级为 root 用户
Escalate to root user in container to root user on the host将容器中的 root 用户升级为主机上的 root 用户

So in case untrusted code is run inside a Docker container as non-root user, it will be slightly more difficult for an attacker to become root on host, since we add an extra step of becoming root inside container.因此，如果不受信任的代码以非 root 用户身份在 Docker 容器内运行，攻击者在主机上成为 root 用户会稍微困难一些，因为我们添加了一个额外的步骤，即在容器内成为 root 用户。 That's the only advantage in terms of security compared to running containers with root privileges.与运行具有 root 权限的容器相比，这是安全性方面的唯一优势。

In case of privilege escalation through both layers of security, following should help restrict the attack surface:如果通过两个安全层提权，以下应该有助于限制攻击面：

Workloads(more specifically docker containers, in this context) with different trust levels should be isolated from each other by use of overlay networks following least privilege principle.具有不同信任级别的工作负载（更具体地说是 docker 容器，在这种情况下）应该通过使用遵循最小特权原则的覆盖网络相互隔离。
Enabling available Linux security module in enforcement mode(eg SELinux, AppArmor)在强制模式下启用可用的 Linux 安全模块（例如 SELinux、AppArmor）

References:参考：

Running with non-root privileges inside containers: https://groups.google.com/forum/#!msg/docker-user/e9RkC4y-21E/JOZF8H-PfYsJ在容器内以非 root 权限运行： https : //groups.google.com/forum/#!msg/docker -user/e9RkC4y-21E/JOZF8H- PfYsJ
Overlay networks: https://docs.docker.com/engine/userguide/networking/get-started-overlay/覆盖网络： https : //docs.docker.com/engine/userguide/networking/get-started-overlay/
User namespaces: https://docs.docker.com/engine/security/security/#/other-kernel-security-features用户命名空间： https : //docs.docker.com/engine/security/security/#/other-kernel-security-features

All containers share the same kernel.所有容器共享相同的内核。 In case your un-trusted code manages to perform a kernel exploit, it can do whatever it wants on the host and/or any other running container.如果您不受信任的代码设法执行内核漏洞利用，它可以在主机和/或任何其他正在运行的容器上做任何想做的事情。