如何限制对 Docker 容器中路径的访问?
How to restrict access to path in Docker container?
Here I've written a Dockerfile for testing user access. The other file (run.sh) is on this link
到目前为止,我已经这样做了:
- 从 Ubuntu 12.04.05 开始,使用 sudo 和 ssh 服务器创建一个新容器。
- 将默认根密码更改为 'root'
- 创建一个测试目录 '/app' 和一个名为 'lalal' 的文件,其中包含一个示例字符串。
- 创建用户 'devops' 并为其添加 sudo 功能以启动 ssh 服务。
- 配置run.sh脚本启动时启动ssh服务,改为'devops'为默认用户
与docker的操作:
- 构建:docker构建testuser/testuser:v1 -f ./Dockerfile .
- 至运行:docker 运行 -d -P --name testuser -p 22:22 testuser/testuser:v1
- 查看日志:docker logs testuser
- 到运行一个bash:docker exec -i -t bash
- 到运行一个bashroot用户:docker exec -i -t -user=root bash
至多 运行使用 devops 用户连接 bash 由于 /app 目录的限制没有问题但是当我使用 root 运行 bash user 我可以为所欲为,devops 用户没用。我该如何纠正这个安全漏洞?
如issue 8664所述:
If someone has access to Docker, they have access to your entire system, can join namepsaces, etc.
Disabling docker exec
would not enhance security at all.
如果你可以 运行 docker exec
,你可以 运行 它作为任何 运行ning 容器中的根。这不是错误或安全风险。这是一个特点。
来自issue 8798:
I think exec
is mostly useful for debugging a container and therefore it is necessary to be able to exec as root
.
OP Agustín Alba Chicar confirms () with issue 18640
(Brian Goff -- cpuguy83
的回答)
No.
By convention, any user with access to docker has full root access to the host, which makes root access to the container moot.
Docker now has an authorization framework in master, which can be used to limit this sort of access. It will be available in Docker 1.10.
Here I've written a Dockerfile for testing user access. The other file (run.sh) is on this link
到目前为止,我已经这样做了:
- 从 Ubuntu 12.04.05 开始,使用 sudo 和 ssh 服务器创建一个新容器。
- 将默认根密码更改为 'root'
- 创建一个测试目录 '/app' 和一个名为 'lalal' 的文件,其中包含一个示例字符串。
- 创建用户 'devops' 并为其添加 sudo 功能以启动 ssh 服务。
- 配置run.sh脚本启动时启动ssh服务,改为'devops'为默认用户
与docker的操作:
- 构建:docker构建testuser/testuser:v1 -f ./Dockerfile .
- 至运行:docker 运行 -d -P --name testuser -p 22:22 testuser/testuser:v1
- 查看日志:docker logs testuser
- 到运行一个bash:docker exec -i -t bash
- 到运行一个bashroot用户:docker exec -i -t -user=root bash
至多 运行使用 devops 用户连接 bash 由于 /app 目录的限制没有问题但是当我使用 root 运行 bash user 我可以为所欲为,devops 用户没用。我该如何纠正这个安全漏洞?
如issue 8664所述:
If someone has access to Docker, they have access to your entire system, can join namepsaces, etc.
Disablingdocker exec
would not enhance security at all.
如果你可以 运行 docker exec
,你可以 运行 它作为任何 运行ning 容器中的根。这不是错误或安全风险。这是一个特点。
来自issue 8798:
I think
exec
is mostly useful for debugging a container and therefore it is necessary to be able to exec asroot
.
OP Agustín Alba Chicar confirms (
(Brian Goff -- cpuguy83
的回答)
No.
By convention, any user with access to docker has full root access to the host, which makes root access to the container moot.Docker now has an authorization framework in master, which can be used to limit this sort of access. It will be available in Docker 1.10.