granting rights to users to use Docker in Fedora 19 and 20

How to grant rights to users to use Docker in Fedora

Posted 16 Oct 2014 by 

Daniel J Walsh (Red Hat)
up
58 readers like this
Image by : 

opensource.com

On the docker-dev list someone asked about Fedora documentation that described how you add a user to the docker group. The user wanted to allow his users to do a docker search to try to find images that they could use.

From the Docker installation documentation regarding Fedora:

Granting rights to users to use Docker

Fedora 19 and 20 shipped with Docker 0.11. The package has already been updated to 1.0 in Fedora 20. If you are still using the 0.11 version, you will need to grant rights to users of Docker.

The docker command line tool contacts the docker daemon process via a socket file /var/run/docker.sock owned by group docker. One must be a member of that group in order to contact the docker -d process.

Luckily this documentation is somewhat wrong, and you still need to add users to the docker group in order for them to use docker from a non-root account. I would hope that all distributions have this policy.

On Fedora and RHEL we have the following permissions on the docker.sock:

# ls -l /run/docker.sock<br />
srw-rw----. 1 root docker 0 Sep 19 12:54<br />
/run/docker.sock<br />

This means that only the root user or the users in the docker group can talk to this socket. Also since docker runs asdocker_t, SELinux prevents all confined domains from connecting to this docker.sock.

No Authorization controls from docker

Docker currently does not have any authorization controls. If you can talk to the docker socket or if docker is listening on a network port and you can talk to it, you are allowed to execute all docker commands.

For example, if I add "dwalsh" to the docker group on my machine, I can execute.

> docker run -ti --rm --privileged --net=host -v /:/host fedora /bin/sh<br />
# chroot /host<br />

At which point you, or any user that has these permissions, has total control on your system.

Adding a user to the docker group should be considered the same as adding:

USERNAME    ALL=(ALL)   NOPASSWD: ALL<br />

to the /etc/sudoers file. Any application the user runs on his machine can become root, even without him knowing. I believe a better more secure solution would be to write scripts to allow the user the access you want to allow.

cat /usr/bin/dockersearch<br />
#!/bin/sh<br />
docker search $@

Then set up sudo with:

USERNAME    ALL=(ALL)   NOPASSWD: /usr/bin/dockersearch

I hope to eventually add some kind of authorization database to docker to allow admins to configure which commands you would allow a user to execute, and which containers you might allow them to start/stop.

First eliminating the ability to execute docker run --privileged or docker run --cap-remove would be a step in the right direction. But, if you have read my other posts, you know that a lot more needs to be done to make containers contain.

Originally posted on www.projectatomic.io as "Granting Rights to Users to Use Docker in Fedora." Reposted under Creative Commons.

Daniel Walsh has worked in the computer security field for almost 30 years. Dan joined Red Hat in August 2001. Dan leads the RHEL Docker enablement team since August 2013, but has been working on container technology for several years.  He has led the SELinux project, concentrating on the application space and policy development.  Dan helped developed sVirt, Secure Vitrualization.  He also created the SELinux Sandbox, the Xguest user and the Secure Kiosk.  Previously, Dan worked Netect/