From b0fd4f882fd9b8c38a004395ea44b32f06431345 Mon Sep 17 00:00:00 2001 From: LIZAO LI Date: Fri, 31 Jul 2015 16:26:40 -0500 Subject: [PATCH 1/3] add: best practice for security when sharing host directories. Closes and carries PR #15210 Updating with Seb's comment Signed-off-by: Mary Anthony --- docs/userguide/dockervolumes.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/userguide/dockervolumes.md b/docs/userguide/dockervolumes.md index ef15fa0cbb..f2572422fa 100644 --- a/docs/userguide/dockervolumes.md +++ b/docs/userguide/dockervolumes.md @@ -141,11 +141,21 @@ $ docker run -d -P --name web -v /src/webapp:/opt/webapp:ro training/webapp pyth Here we've mounted the same `/src/webapp` directory but we've added the `ro` option to specify that the mount should be read-only. +Because of [limitations in the `mount` +function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/ +035788.html), moving subdirectories within the host's source directory can give +access from the container to the host's file system. This requires a malicious +user on the host with root access or with access to the Docker socket. Access to +the Docker socket is equivalent to being privileged/root on the host. If your +systems defines a `docker` group, be aware all its members have the necessary +privileges to exploit this. + >**Note**: The host directory is, by its nature, host-dependent. For this >reason, you can't mount a host directory from `Dockerfile` because built images >should be portable. A host directory wouldn't be available on all potential >hosts. + ### Mount a host file as a data volume The `-v` flag can also be used to mount a single file - instead of *just* From 95495d20bec49ae338e6fc10f5d4be71bd162370 Mon Sep 17 00:00:00 2001 From: Mary Anthony Date: Mon, 31 Aug 2015 09:54:15 -0700 Subject: [PATCH 2/3] Updating with SEb's comments Signed-off-by: Mary Anthony --- docs/userguide/dockervolumes.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/docs/userguide/dockervolumes.md b/docs/userguide/dockervolumes.md index f2572422fa..f210dddaf0 100644 --- a/docs/userguide/dockervolumes.md +++ b/docs/userguide/dockervolumes.md @@ -145,10 +145,7 @@ Because of [limitations in the `mount` function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/ 035788.html), moving subdirectories within the host's source directory can give access from the container to the host's file system. This requires a malicious -user on the host with root access or with access to the Docker socket. Access to -the Docker socket is equivalent to being privileged/root on the host. If your -systems defines a `docker` group, be aware all its members have the necessary -privileges to exploit this. +user with access to the mounted directory on the host. >**Note**: The host directory is, by its nature, host-dependent. For this >reason, you can't mount a host directory from `Dockerfile` because built images From 7271dca8cc4570a28feba5a45153497dd452d899 Mon Sep 17 00:00:00 2001 From: Mary Anthony Date: Mon, 31 Aug 2015 09:56:35 -0700 Subject: [PATCH 3/3] updating again. Signed-off-by: Mary Anthony --- docs/userguide/dockervolumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/userguide/dockervolumes.md b/docs/userguide/dockervolumes.md index f210dddaf0..c08cf5c5c7 100644 --- a/docs/userguide/dockervolumes.md +++ b/docs/userguide/dockervolumes.md @@ -145,7 +145,7 @@ Because of [limitations in the `mount` function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/ 035788.html), moving subdirectories within the host's source directory can give access from the container to the host's file system. This requires a malicious -user with access to the mounted directory on the host. +user with access to host and its mounted directory. >**Note**: The host directory is, by its nature, host-dependent. For this >reason, you can't mount a host directory from `Dockerfile` because built images