5

You can and generally should (1) run docker daemon (or podman, or something else) as rootless, and/or (2) use user namespace-remapping, to improve security.

You can also (3) use rootless images, where the container does not run any processes as root. For example, nginx-unprivileged runs as nginx user instead of root.

Sometimes the images do not have rootless variants, and creating a rootless variant for some tool X may involve non-trivial amount of work (solving problems with file permissions, etc).

If we already are using #1 and/or #2, does it matter if the image is not rootless?

enter image description here

Janne Mattila
  • 215
  • 1
  • 5

1 Answers1

3

This is an interesting question, and somewhat unintuitively I'd say the answer is it could matter.

rootless Docker/Podman etc make use of "unprivileged user namespaces" to allow non-root users to appear to be root. When a user is root, even in a user namespace, they have access to some Linux kernel codepaths that are not available to non-root users.

This means that, if there is a vulnerability in the Linux kernel, which requires access to a specific codepath, it's easier to exploit if you're the root user.

I've seen cases where in general unprivileged user namespaces allow for exploitation (e.g. CVE-2022-0185) but I'm not sure I've seen one where root in a container would be the difference, so this may be somewhat theoretical as risks go.

Rory McCune
  • 62,266
  • 14
  • 146
  • 222