Podman: What if user is member of docker group?

Information Security Asked by dotcs on February 13, 2021

From a security perspective: Is it necessary that a user, that runs OCI containers with Podman, is not at the same time a member of the docker group?

From what I understand the idea behind Podman is to re-map the user ids, such that the root user within the container is equivalent to the user on the host. The security concept is better because if a user can take over the container and break out, the user is not automatically root user on the host (given that the process within the container was started as the container’s root user).

Now if the user on the host is in the docker group it should be equivalent of having root access as stated in the Docker post-installation guide:

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.


So if an attacker breaks out of a container managed by Podman, and at the same time the user who started the container is in the docker group, the security gain should be none compared to managing containers with Docker. Is this correct?

One Answer

Yes, I'd say that your assertion here is correct. Gaining access to an account which is a member of the Docker group on a host (absent other custom protections) will allow the attacker to escalate their privileges to be root on the host.

Typically podman is used for developer systems rather than running production services, which would usually be done with something like CRI-O, in that kind of environment.

It's possibly worth noting that it is possible to run Docker in a rootless mode similar to podman, which may mitigate this kind of issue.

Answered by Rory McCune on February 13, 2021

Add your own answers!

Related Questions

Ways to configure a router

3  Asked on December 8, 2021 by user136026


Can firewalls decrypt SSL packets?

3  Asked on November 30, 2021 by iancool


Associate API key with user

3  Asked on November 30, 2021 by brad-stevanus


Polymorphic Analysis

1  Asked on November 23, 2021 by user109889


Getting the hostname of devices in the local lan

0  Asked on November 23, 2021 by gilad-naaman


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP