Docker upstream also provides packages (for multiple different debian version): ĭebian images are available in the docker.io official repository, but you may as well create some yourself (see more details on both options below). Thus, the safer choice is to never add a user account - even your own - to the docker group, so that Docker commands can only be used via sudo.ĭocker is a solution for the management of lightweight process containers.ĭocker can be installed from buster (or newer) repositories (see the docker.io package). Access to Docker commands effectively grants full root power.Īlso, Docker doesn't have any equivalent to sudo's password check, which means that a successful arbitrary-code-execution exploit against a user who is in the docker group effectively grants the attacker root. This makes it trivial for a malicious user to read and alter sensitive system files, or for a careless user to allow a malicious containerized app to do so. The Docker daemon has setUID root, and by design allows easy access as root to the host filesystem.
Docker group membership is more dangerous than sudo
0 kommentar(er)
