If I will allow user to run whatever he want, is he able to do bad thinks to env in which container was executed?
Docker does its best to create containers which do not allow mischievous users to do bad things. As an example, it removes the ability for any user to be able to execute mount.
That being said, there is no guarantee that a user cannot break out of the container given an exploit in cgroups or that the configuration is perfect. This should be evaluated on an as-needed basis.
As far as I can see, the answer is yes. So you should probably not give a hacker sudo rights on any container...
A quick Google search gave me the following.
On https://wiki.ubuntu.com/LxcSecurity:
... containers will always (by design) share the same kernel as the host. Therefore, any vulnerabilities in the kernel interface, unless the container is forbidden the use of that interface (i.e. using seccomp2) can be exploited by the container to harm the host.
On http://www.funtoo.org/wiki/Linux_Containers
As of Linux kernel 3.1.5, LXC is usable for isolating your own private workloads from one another. It is not yet ready to isolate potentially malicious users from one another or the host system.
They propose OpenVZ as an alternative.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With