1

https://nakedsecurity.sophos.com/20...

Is this legit ?

It is as a result of a query I have, I am curious if Docker's claims to system isolation between apps is verifiably universal.

There have been a number of attempts at virtualization that avoid VMs, and I have always wondered is there a way to access the host systems kernel through these ?

Thoughts ?

Comments
  • 0
    Never trust a company.

    Docker is a _large_ ecosystem.

    Docker itself has a lot of buts - if you run e.g. a non privileged container, mount sockets from the host system et cetera the isolation is useless.

    Hardware, software.... Everything is vulnerable if you look hard enough or penetrate hard enough ;)
  • 0
    @IntrusionCM mount sockets ?
  • 0
    @MadMadMadMrMim

    Mount from Host OS a device / socket into the docker container.
  • 0
    @IntrusionCM is there effectively a difference between docker and using a chroot jail and specific user and group permissions ?
  • 1
    @MadMadMadMrMim

    Yes. A chroots security is dependent on the OS. In linux, a chroot is not a security feature at all. It has no seperation of processes, is implemented in userspace.

    https://en.m.wikipedia.org/wiki/...

    You can look at this table...

    But best to get a deeper understanding is this blog article from Mr Garfield:

    https://platform.sh/blog/2020/...

    It's really great.
  • 0
    https://platform.sh/blog/2020/...

    This is the correct link, it's linked in above entry, but for clarity
  • 0
    @IntrusionCM note you said userspace. not kernel space. that was kind of my point. imma look at those links, but can't you in essence just isolate a process to a specific level of privilege say on linux, to prevent the rest of the system from being compromised if someoen hacks your app somehow because the apache process or whatever server process was being run on a specific user account (setuid i think its called, impersonation on windows), so the attacker can't get elevated permission levels if all is working as it should ? I'm just not sold entirely on containerization for less than managing a cloud center's resources.
  • 0
    @IntrusionCM i like the links btw :)
  • 0
    @IntrusionCM eww i remember lxc, didn't work worth crap and the major distros didnt compile in cgroups by default, you had to do a custom
  • 0
    see now other than this situation being the same I just remembered some other things where a guy in sun glasses replaced me for some reason in a timeline and there was sex as well.
  • 1
    Since docker shares the kernel with the host and all containers, you can access everything if you try hard enough.

    With VM's it is different since the the kernels are independent, but there is also a way.

    I would argue docker is more insecure than using VMs, but everything has a use case and ways to secure it too.

    This is why devs should dev, ops should op and sec should sec.
  • 1
    @mundo03 and we should all live in endless jellish circles restoring the same content over and over
  • 0
    @MadMadMadMrMim well, that is what git is for isn't it?

    You can also automate your infra with stuff like terraform, puppet, ansible.

    Docker has a use case and it is not to make your life easier on your dev environment, that is what stuff like vagrant is for.

    You want to talk ops and creating this front he ground up in a reproducible manner, then talk ops, consider tools for what they are, don't vendor lock because it is hype.
  • 0
    Ah, a it seems like a variant of rotten potato, but with docker... I wonder how many other applications have this problem.

    If I read the Sophos article correctly, one already needs to have limited access to the docker host, and the vulnerability can then be used to gain SYSTEM rights. As privesc on the host system always grants access to all containers and even virtual machines (ignoring Hyper-V "shielded" ones here), this does not break the docker "isolation promise" from the perspective of containers.
  • 0
    @mundo03 I always managed my own scripts and services what is vagrant ?
  • 0
    @mundo03 and uh not vendor locking but one must admit there are more tools than what are usable out there.

    Dunno where that comment came from
  • 0
    @mundo03 even your little comment just now lol
  • 0
    @mundo03 seems like one one of the chomos that runs this page would make so as to create a superficial track record of issues with a user which really only was with one or two weird or rude or bizarre people previously so you people could cut unplanned content additions and do what you always do either integrate someone’s contributions amongst each other or vehemently exclude another person until the platform is totally ruined and devoid of any living participants because you people thought hollowing out the internet t make it predictably a lonely place for ordering your creep shit would somehow not bite you all in the ass heh
Add Comment