davidino/description.md

## description.md

      
    Raw
  

              description.md
            
          
    Docker security improvement - Username Space

As you already know Docker released the 1.10 version with a huge list of features.
The list contains also a list of security improvment: one of that is the improving the user namespace
This is what it was happening before the version 1.10.
We are just runnging an alpine container mounting an external volume /var/log/.
:: include no-usernamespece.rd
As you can see the ownership of the files in the container it is exactly the one outside the container ( because we are mounting the volume ).
That means that the actual logget user in the container (root) can have access to these files and for example mess the up.
If we run the same exact code in the Docker 1.10 version adding the option --userns-remap=default to the deamon, this is the result:
:: include usermap.rd
The owner in now nobody and even if the actual logger user is root it have no access to that files.
SideNotes:
https://medium.com/on-docker/what-s-montague-docker-user-problems-and-patterns-79750c504aa1#.r2l9i55z3

  
## no-usernamespece.rd

➜  ~  ps -ef | grep -i daemon
root      21636      1  2 15:04 ?        00:00:00 /usr/bin/docker daemon -H fd://

➜  ~  docker run -it --rm -v /var/log:/var/log --name=demo alpine ls -latr /var/log/
total 35236
drwxr-xr-x    2 root     root          4096 Oct  5 15:57 apt
drwxr-xr-x    2 root     root          4096 Oct 20 16:18 dist-upgrade
-rw-r-----    1 root     adm             31 Oct 21 17:28 dmesg
-rw-r--r--    1 root     root         72557 Oct 21 17:29 bootstrap.log
drwxr-xr-x    2 root     root          4096 Nov  5 08:19 fsck
drwxr-xr-x    3 root     root          4096 Nov  5 08:49 installer
-rw-r-----    1 root     adm           6378 Dec 15 12:18 apport.log.1
drwxr-x---    2 root     adm           4096 Dec 17 06:04 unattended-upgrades
-rw-r-----    1 104      adm        1351288 Dec 19 05:56 syslog.2.gz
-rw-r-----    1 104      adm         402127 Dec 25 06:17 auth.log.1
-rw-r-----    1 104      adm        8667895 Dec 25 06:17 kern.log.1
-rw-r-----    1 104      adm         932806 Dec 25 06:21 syslog.1


## usermap.rd

➜  ~  ps -ef | grep -i daemon
root      21636      1  2 15:04 ?        00:00:00 /usr/bin/docker daemon -H fd:// --userns-remap=default

➜  ~  docker run -it --rm -v /var/log:/var/log --name=demo alpine ls -latr /var/log/
total 35260
drwxr-xr-x    2 nobody   nobody        4096 Oct  5 15:57 apt
drwxr-xr-x    2 nobody   nobody        4096 Oct 20 16:18 dist-upgrade
-rw-r-----    1 nobody   nobody          31 Oct 21 17:28 dmesg
-rw-r--r--    1 nobody   nobody       72557 Oct 21 17:29 bootstrap.log
drwxr-xr-x    2 nobody   nobody        4096 Nov  5 08:19 fsck
drwxr-xr-x    3 nobody   nobody        4096 Nov  5 08:49 installer
-rw-r-----    1 nobody   nobody        6378 Dec 15 12:18 apport.log.1
drwxr-x---    2 nobody   nobody        4096 Dec 17 06:04 unattended-upgrades
-rw-r-----    1 nobody   nobody     1351288 Dec 19 05:56 syslog.2.gz
-rw-r-----    1 nobody   nobody      402127 Dec 25 06:17 auth.log.1
-rw-r-----    1 nobody   nobody     8667895 Dec 25 06:17 kern.log.1
-rw-r-----    1 nobody   nobody      932806 Dec 25 06:21 syslog.1

	➜ ~ ps -ef \| grep -i daemon
	root 21636 1 2 15:04 ? 00:00:00 /usr/bin/docker daemon -H fd://

	➜ ~ docker run -it --rm -v /var/log:/var/log --name=demo alpine ls -latr /var/log/
	total 35236
	drwxr-xr-x 2 root root 4096 Oct 5 15:57 apt
	drwxr-xr-x 2 root root 4096 Oct 20 16:18 dist-upgrade
	-rw-r----- 1 root adm 31 Oct 21 17:28 dmesg
	-rw-r--r-- 1 root root 72557 Oct 21 17:29 bootstrap.log
	drwxr-xr-x 2 root root 4096 Nov 5 08:19 fsck
	drwxr-xr-x 3 root root 4096 Nov 5 08:49 installer
	-rw-r----- 1 root adm 6378 Dec 15 12:18 apport.log.1
	drwxr-x--- 2 root adm 4096 Dec 17 06:04 unattended-upgrades
	-rw-r----- 1 104 adm 1351288 Dec 19 05:56 syslog.2.gz
	-rw-r----- 1 104 adm 402127 Dec 25 06:17 auth.log.1
	-rw-r----- 1 104 adm 8667895 Dec 25 06:17 kern.log.1
	-rw-r----- 1 104 adm 932806 Dec 25 06:21 syslog.1
No results found