TransWikia.com

Podman: What if user is member of docker group?

Information Security Asked by dotcs on February 13, 2021

From a security perspective: Is it necessary that a user, that runs OCI containers with Podman, is not at the same time a member of the docker group?

From what I understand the idea behind Podman is to re-map the user ids, such that the root user within the container is equivalent to the user on the host. The security concept is better because if a user can take over the container and break out, the user is not automatically root user on the host (given that the process within the container was started as the container’s root user).

Now if the user on the host is in the docker group it should be equivalent of having root access as stated in the Docker post-installation guide:

The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

Source

So if an attacker breaks out of a container managed by Podman, and at the same time the user who started the container is in the docker group, the security gain should be none compared to managing containers with Docker. Is this correct?

One Answer

Yes, I'd say that your assertion here is correct. Gaining access to an account which is a member of the Docker group on a host (absent other custom protections) will allow the attacker to escalate their privileges to be root on the host.

Typically podman is used for developer systems rather than running production services, which would usually be done with something like CRI-O, in that kind of environment.

It's possibly worth noting that it is possible to run Docker in a rootless mode similar to podman, which may mitigate this kind of issue.

Answered by Rory McCune on February 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP