Information Security Asked by dotcs on February 13, 2021
From a security perspective: Is it necessary that a user, that runs OCI containers with Podman, is not at the same time a member of the
From what I understand the idea behind Podman is to re-map the user ids, such that the root user within the container is equivalent to the user on the host. The security concept is better because if a user can take over the container and break out, the user is not automatically root user on the host (given that the process within the container was started as the container’s root user).
Now if the user on the host is in the
docker group it should be equivalent of having root access as stated in the Docker post-installation guide:
The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
So if an attacker breaks out of a container managed by Podman, and at the same time the user who started the container is in the
docker group, the security gain should be none compared to managing containers with Docker. Is this correct?
Yes, I'd say that your assertion here is correct. Gaining access to an account which is a member of the Docker group on a host (absent other custom protections) will allow the attacker to escalate their privileges to be root on the host.
Typically podman is used for developer systems rather than running production services, which would usually be done with something like CRI-O, in that kind of environment.
It's possibly worth noting that it is possible to run Docker in a rootless mode similar to podman, which may mitigate this kind of issue.
Answered by Rory McCune on February 13, 2021
2 Asked on December 10, 2021 by geo-m
0 Asked on December 10, 2021
3 Asked on December 8, 2021 by user136026
3 Asked on December 8, 2021 by ddbe
1 Asked on December 8, 2021 by dipesh-sunrait
1 Asked on December 6, 2021
2 Asked on December 4, 2021 by loopofnegligence
1 Asked on December 4, 2021
5 Asked on December 2, 2021 by askford
6 Asked on December 2, 2021
3 Asked on November 30, 2021 by iancool
3 Asked on November 30, 2021 by brad-stevanus
1 Asked on November 30, 2021 by houtanf
1 Asked on November 28, 2021
10 Asked on November 25, 2021 by lil-bits
1 Asked on November 25, 2021
2 Asked on November 25, 2021
1 Asked on November 23, 2021 by user109889
2 Asked on November 23, 2021
0 Asked on November 23, 2021 by gilad-naaman
Get help from others!
© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP