Docker bind mount permission or USER someguy

As part of a root-escalation defect, hugo needs to support a non-root user. There’s some “official” documentation from Docker ala Docker - Security Conclusions.

Docker concludes…

Docker containers are, by default, quite secure; especially if you take care of running your processes inside the containers as non-privileged users (i.e., non-root).

You can add an extra layer of safety by enabling AppArmor, SELinux, GRSEC, or your favorite hardening solution.

Bind Volumes

It’s a well known “challenge” that when you bind-mount into your container, you are responsible for the careful alignment of gid/uid.

Running as root user within the container

Requirements

The container will be creating files that the host will also need to access

Typical Implementation

In this case, the container’s user is root, or another user that doesn’t map back to the host cleanly.

If your container’s user is using root to create them, only root on the host can access them. This makes sense because the container’s root matches uid=0,gid=0.

[root@prime avinash]# id
uid=0(root) gid=0(root) groups=0(root)

Now what if a normal host user wants to access these files? They can’t!

Possible Solutions

Copy uid/gid mappings into containers

cp -p /etc/{passwd,group,shadow} /tmp/mycontainer/mappings

Bind mount them over the container’s existing files.
Sample docker-compose.yml

      - /tmp/mycontainer/mappings/passwd:/etc/passwd:ro
      - /tmp/mycontainer/mappings/group:/etc/group:ro
      - /tmp/mycontainer/mappings/shadow:/etc/shadow:ro

Pros

• Consistent
• Easy to script
• Simple UID/GID mmapping

Cons

• Exposes things about the host
• What about LDAP? Other sources of principals/credsies?