Is it possible to get in docker container without root permission of host, when docker needs sudo to run?

Guan

12/27/22, 10:40 AM

To my knowledge, people usually open docker group for regular users, so they could have a separate environment to do almost anything without root permission of host.

But if docker command needs to be run by sudo, like sudo docker exec -it CONTAINER /bin/bash , is it a good way to hide information, for instance, source code in container?

My question is, to be more specific, if sudo is necessary to run docker, is it possible to see what's inside container, or even access it, without root permission?

624

1 + 0

server

permissions

security

docker

Score:1

Ubuntu

Artur Meinild

12/27/22, 10:54 AM

It's not necessary to run Docker as root.

Docker has a "rootless" mode, that allows Docker containers to be run in userspace. However, there are some limitations to this operating mode listed in the linked documentation. In this mode, the user in question has full access to containers and their contents.

I don't personally have any experience with running Docker in rootless mode though.

If you want to run Docker as a system-wide service, it requires root access, or membership of the docker group. In this mode, you can run the following command (as member of docker group - using nginx as an example, and provided bash is in the container):

docker exec -it nginx /bin/bash

You get into the terminal of the container (as root):

root@e209bdb1fe51:/#

So even if you're not root on local machine (but a member of the docker group), you will be root inside the container.

0 + 2

Guan

12/27/22, 1:55 PM

Thanks for your answer, sorry for my words isn't clear. I mean, for user not in docker group and they don't have root permission, could they still get in container? To be more specific, if docker command can only run by `sudo docker ...`, are people still possible to access container without root?

user535733

12/27/22, 2:27 PM

Please edit your original question to clearly state the question that you want answered.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it possible to get in docker container without root permission of host, when docker needs sudo to run?

TH: เป็นไปได้ไหมที่จะเข้าไปในคอนเทนเนอร์นักเทียบท่าโดยไม่ได้รับอนุญาตจากโฮสต์เมื่อนักเทียบท่าต้องการให้ sudo ทำงาน

RO: Este posibil să intrați în containerul docker fără permisiunea rădăcină a gazdei, când docker are nevoie de sudo pentru a rula?

RU: Можно ли попасть в контейнер докера без разрешения root хоста, когда для запуска докеру требуется sudo?

VI: Có thể truy cập bộ chứa docker mà không có quyền root của máy chủ lưu trữ không, khi docker cần sudo để chạy?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.