Package: docker.io Version: 0.9.0+dfsg1-1 Tags: security Severity: important
joey@darkstar:~>docker.io run -v /:/mnt -t -i mydebian bash2014/03/22 22:56:23 Invalid bind mount: source can't be '/' joey@darkstar:~> docker.io run -v ../../../:/mnt -t -i debian bash root@b7647a89f0d7:/# wc -l /mnt/etc/shadow 42 /mnt/etc/shadow IMHO, this is a straight-up security hole. Non-root users should not be allowed to expose outside system paths into the container. The check for "/" implies I'm right; the absurdly bad impleentation of the check is ... worrying. Note README.Debian does not indicate that the docker group gives the user root, either inside or outside the container. As noted in the upstream documentation (https://docs.docker.io), Docker will allow non-root users in the "docker" group to access "docker.sock" and thus communicate with the daemon. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.10-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages docker.io depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.18 ii iptables 1.4.21-1 ii libapparmor1 2.8.0-5+b1 ii libc6 2.18-4 ii libdevmapper1.02.1 2:1.02.83-2 ii libsqlite3-0 3.8.3.1-1 ii perl 5.18.2-2+b1 Versions of packages docker.io recommends: ii aufs-tools 1:3.2+20130722-1.1 ii ca-certificates 20140223 ii git 1:1.9.1-1 ii xz-utils 5.1.1alpha+20120614-2 docker.io suggests no packages. -- no debconf information -- see shy jo
signature.asc
Description: Digital signature
