@bortzmeyer @x_cli it has been known in the BSD world to offer hosting with shell access, including root.

@bortzmeyer @Keltounet @x_cli

The answer is here:

electricmonk.nl/log/2017/09/30

"A common practice is to add users that need to run Docker containers on your host to the docker group. [...] What is not obvious right away is that this is basically the same as giving those users root access. You see, the Docker daemon runs as root and when you add users to the docker group, they get full access over the Docker daemon."

@bortzmeyer

Unless I did not understand your question at all. In which case, please accept all my apologies.

@Keltounet @x_cli

@ParadeGrotesque
You are talking about giving a user docker command access. Stéphane was asking about root priv inside the container (which is "safe" if you use user namespaces, and preferably also seccomp, and a LSM)
@bortzmeyer @Keltounet

@bortzmeyer
Correct. You are expected to map the in-container root to an unpriv user on the parent NS. If the mapping maps in-container root to a user with some privileges on the parent NS, there are some more complex rules applying to what you can and can't do. That's because there are still stuff like mount point locks, and setns restrictions.
@ParadeGrotesque @Keltounet

@bortzmeyer @ParadeGrotesque @Keltounet
My answer was inaccurate. Even if mapped to an unpriv user, you have to care about mount point locks and setns restrictions and all of that "good" stuff, but things get even muddier when mapped to a user able to get some privileges and then, I'm not sure what happens.

@bortzmeyer
Basically, OVH VPS (which are containers) grant root priv on the guest, for instance.
@Keltounet

@x_cli @bortzmeyer is KVM impacted? At least one VPS provider with root access uses KVM for their machines (Vultr).

@bortzmeyer @x_cli Right, it is virtualisation, not containers.

One gets confused sometimes with the linux world :)

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!