0

I often pull and run a docker images from hub.docker.com

I am running with this command:

docker run --it xxx/image /bin/bash

I never share volumes (with -v option) for example.

Let's suppose a malicious docker image. Is there a way, for the author of this image, to run malicious code on my computer. I mean for example accessing to my hard drive and send files other network ?

In other words, is it possible, in image configuration to "force" volumes configuration (for example ask to map / to /mnt on the image)

mentallurg
  • 10,256
  • 5
  • 28
  • 44
Bob5421
  • 29
  • 6
  • 1
    How does [the official documentation](https://docs.docker.com/engine/security/#:~:text=Docker%20containers%20are%2C%20by%20default,or%20another%20appropriate%20hardening%20system.) not answer your very generic question? – GACy20 Jan 30 '23 at 15:14
  • Take a look [at this answer](https://security.stackexchange.com/questions/169642/what-makes-docker-more-secure-than-vms-or-bare-metal/169649#169649). Even if it's not direct related to your question, it answers some issues that you could have but not thought about. – ThoriumBR Jan 30 '23 at 16:24

2 Answers2

1

Even if you don't share volumes, there are still potential security risks when running a remotely downloaded Docker image. For instance, the image may contain code that runs with elevated privileges inside the container, allowing it to perform actions such as accessing the host's network or consuming host resources.

Additionally, the image could contain exploits or vulnerabilities that can be used to compromise the host system. To minimize the risk, it's recommended to only run images from trusted sources, to inspect the image and its code before running, and to run the image in a container with the least amount of privileges. For example, using the --user option to run the container as a non-root user.

You can use Snyk to scan your Docker images for known vulnerabilities. To start using Snyk, you'll need to create a free account on their website. Snyk provides a command-line interface (CLI) that you can use to scan your Docker images. You can install the Snyk CLI by following the instructions in the Snyk documentation. To scan a Docker image, use the Snyk monitor command and specify the image name and registry.

Example:

snyk monitor docker://image_name

After the scan is complete, Snyk will display a report of the vulnerabilities found in the image, including the severity, CVSS score, and details on how to remediate the issue. If vulnerabilities are found, Snyk provides guidance on how to remediate them. This may include updating the image to a more recent version, installing security patches, or reconfiguring the image to reduce its attack surface.

Rudra Sarkar
  • 319
  • 1
  • 9
  • Thanks but is there a way to deny elevated privileges when running a docker image ? – Bob5421 Feb 02 '23 at 07:23
  • Can you be more specific for example Windows UAC or sudo in Linux this type of privileges? – Rudra Sarkar Feb 02 '23 at 09:44
  • If not then I've already mentioned how you can elevate privileges following this command `docker run --user 1000 --it xxx/image /bin/bash` – Rudra Sarkar Feb 02 '23 at 10:43
  • Thanks but this are « docker run » arguments and only me has control of arguments – Bob5421 Feb 03 '23 at 17:52
  • Indeed, that is right. The docker run arguments are controlled by the user and only the user has control over them. The choice of arguments to use when running a Docker container is up to the user and can be adjusted based on specific requirements and security concerns. – Rudra Sarkar Feb 04 '23 at 18:39
  • What I want to know is: Is there a danger if I run without volume sharing and without privileges. Thanks – Bob5421 Feb 07 '23 at 06:39
0

If the image is malicious, it can run malicious code on your system, even if you don't map any volumes for it.

Docker images are not intended to isolate malicious code from your host, it's intended to make easier the transition from development to testing to production. If you use a controlled and vetted image, that's fine.

Malicious images can exploit kernel bugs and execute code in the host. It can abuse your loaded modules. Depending on your system configuration, it can connect to the Docker control socket and delete, spawn, create images.

The safer way to run a Docker image is to load a VM, and run the container on that image.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • *"it's intended to make easier the transition from development to testing to production"* - This is an interesting view on the purpose of Docker. Sure, it is often used also for this. But the main purpose is to *isolate* processes. With docker you can for instance 5 different versions of the same application, e.g. different versions of Nginx or different version of PostgreSQL. Without Docker it would take considerable efforts to isolate these processes. – mentallurg Jan 30 '23 at 17:35
  • Thanks but i can prevent the containers to access to the docker socket. If i exclude kernel bugs, how can the container interact with the host ? – Bob5421 Jan 30 '23 at 21:27
  • 1
    You are running an image that can be malicious and your system *have* kernel bugs, even if almost all of them aren't know now. Don't exclude kernel bugs from the scenario: a system that isn't vulnerable now can be vulnerable the next day. – ThoriumBR Jan 30 '23 at 21:36