Merge pull request #15926 from moxiegirl/carry-15210

add: best practice for security when sharing host directories.
2022-11-09 12:21:53 -05:00 · 2015-08-31 19:51:15 +02:00 · 2015-08-31 19:51:15 +02:00 · c844effeda
commit c844effeda
parent 3bd8016259 7271dca8cc
1 changed files with 7 additions and 0 deletions
--- a/docs/userguide/dockervolumes.md
+++ b/docs/userguide/dockervolumes.md
@ -141,11 +141,18 @@ $ docker run -d -P --name web -v /src/webapp:/opt/webapp:ro training/webapp pyth
 Here we've mounted the same `/src/webapp` directory but we've added the `ro`
 option to specify that the mount should be read-only.

+Because of [limitations in the `mount`
+function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/
+035788.html), moving subdirectories within the host's source directory can give
+access from the container to the host's file system. This requires a malicious
+user with access to host and its mounted directory. 
+
 >**Note**: The host directory is, by its nature, host-dependent. For this
 >reason, you can't mount a host directory from `Dockerfile` because built images
 >should be portable. A host directory wouldn't be available on all potential
 >hosts.

+
 ### Mount a host file as a data volume

 The `-v` flag can also be used to mount a single file  - instead of *just*