The banner at the top of https://wiki.debian.org/Docker
<https://wiki.debian.org/Docker> says:
"The Docker daemon has setUID root, and by design allows easy access as
root to the host filesystem. This makes it trivial for a malicious user
to read and alter sensitive system files, or for a careless user to
allow a malicious containerized app to do so. Access to Docker commands
effectively grants full root power."
I'm trying to test this. I put my own user account in the docker group
(and can execute docker commands with it).
Then I tried to see if I can use Docker to write a file to a root-owned
directory without using sudo or su. I used these commands:
docker run debian -dit /bin/bash #start a container
docker cp /home/me/some-file container-id:/some-file #put a file into
the container
docker cp container-id:/some-file /etc/some-file #copy the file
from the container into somewhere I shouldn't be able to write to
I got:
open /etc/some-file: permission denied
Is the wiki out of date and it's completely safe to have user accounts
in the docker group?
Is the wiki correct but I'm exploiting group membership wrong?