The Default Docker User Has a Lot of Power
Most Docker containers run processes as the root user, leading to increased security risks. See a demonstration and learn what can be done to reduce risk.
Table of Contents 📖
The Default Docker User
Many containers default to running processes as the root user. We can see this by running a container and printing whoami.
docker run --rm -it ubuntu:latest whoami
root
docker run --rm -it alpine:latest whoami
root
Having root as the default user can simplify operations, but it can also introduce security risks. The root user has unrestricted access to all files, commands, and operations inside the container.
Shared Context with the Host
Docker containers share the kernel with the host system. With root access, an attacker could exploit kernel vulnerabilities to escape the container and execute commands on the host system. They could also interact with devices and system configurations using mounted volumes.
ERROR: If volumes like /var/run/docker.sock are mounted, a root user in the container can potentially control the Docker daemon and manipulate the host system.
What to Do?
There are a few ways to improve security with Docker containers. First, Docker allows us to create a user with the --user flag.
docker run --rm -it --user 1000:1000 ubuntu:latest whoami
ubuntu
docker run --rm -it ubuntu:latest whoami
root
The --user 1000:1000 flag instructs Docker to run the container process as the user with UID 1000 and GID 1000 (we could also create a custom user in a Dockerfile). We can also add and remove specific capabilities from a container.
docker run --cap-drop=ALL --cap-add=NET_ADMIN my-image
There are times where running as root inside a container is necessary such as containers designed to manage system level tasks. In these cases, it could be beneficial to isolate the containers from sensitive environments and hosts. Either way, be aware that misconfigurations, volumes, and bugs can lead to the greater likelihood of a compromised system with a root user.