Skip Navigation
Selfhosted @lemmy.world diy @sh.itjust.works

Security and docker

How do i you decide whats safe to run

I recently ran Gossa on my home server using Docker, mounting it to a folder. Since I used rootless Docker, I was curious - if Gossa were to be a virus, would I have been infected? Have any of you had experience with Gossa?

28

You're viewing a single thread.

28 comments

  • Docker (and Linux containers in general) are not a strong security boundary.

    The reason is simply that the Linux kernel is far too large and complex of an interface to be vulnerability free. There are regular privilege escalation and container escapes found. There are also frequent Docker-specific container escape vulnerabilities.

    If you want strong security boundaries you should use a VM, or even better separate hardware. This is why cloud container services run containers from different clients in different VMs, containers are not good enough to isolate untrusted workloads.

    if Gossa were to be a virus, would I have been infected?

    I would assume yes. This would require the virus to know an unpatched exploit for Linux or Docker, but these frequently appear. There are likely many for sale right now. If you aren't a high value target and your OS is fully patched then someone probably won't burn an exploit on you, but it is entirely possible.

    • While docker isn't perfect saying it is completely insecure is untrue. It is true serious vulnerabilities popup once and a while but to say that it is trivial to escape a container is to big of a statement to be true. You can misconfigure a docker container which would allow for an escape but that's about it for the most part. The Linux kernel isn't easy to exploit as if it was it wouldn't be used so heavily in security sensitive environments.

      For added security you could use podman with a dedicated user for sandboxing. If the podman container is breached it will have little place to go. Also Podman tends to have better isolation in general. There isn't any way to break out of a properly configured docker container right now but if there were it would mean that an attacker has root

      • I never said it was trivial to escape, I just said it wasn't a strong security boundary. Nothing is black and white. Docker isn't going to stop a resourceful attacker but you may not need to worry about attackers who are going to spend >$100k on a 0-day vulnerability.

        The Linux kernel isn’t easy to exploit as if it was it wouldn’t be used so heavily in security sensitive environments

        If any "security sensitive" environment is relying on Linux kernel isolation I don't think they are taking their sensitivity very seriously. The most security sensitive environments I am aware of doing this are shared hosting providers. Personally I wouldn't rely on them to host anything particularly sensitive. But everyone's risk tolerance is different.

        use podman with a dedicated user for sandboxing

        This is only every so slightly better. Users have existed in the kernel for a very long time so may be harder to find bugs in but at the end of the day the Linux kernel is just too complex to provide strong isolation.

        There isn’t any way to break out of a properly configured docker container right now but if there were it would mean that an attacker has root

        I would bet $1k that within 5 years we find out that this is false. Obviously all of the publicly known vulnerabilities have been patched. But more are found all of the time. For hobbyist use this is probably fine, but you should acknowledge the risk. There are almost certainly full kernel-privilege code execution vulnerabilities in the current Linux kernel, and it is very likely that at least one of these is privately known.

You've viewed 28 comments.