Shulou(Shulou.com)06/02 Report--

This article will explain in detail how to lift rights with the help of Docker containers. The content of the article is of high quality, so the editor shares it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Free of sudo using docker

By default, you must have sudo permission to use docker. For multiple users of a machine, many users often have only ordinary permissions. How to ensure that ordinary users can also use Docker smoothly?

This must not be difficult for everyone, as long as the administrator adds the users who need to use docker to the docker user group (which will be created by default after installing docker), and the user can log in to the machine again to avoid sudo using docker.

User permissions in docker container are not restricted

We know that after a user creates a docker container, the default is the root account in the container. You can change the configuration in the container without adding sudo.

Under normal circumstances, this mode not only ensures that a machine is used by many ordinary users and does not affect each other through the isolation of docker containers, but also gives users sufficient permissions in the container to ensure that they can install software normally, modify container configuration and other operations.

Docker file mapping facilitates file sharing inside and outside the container

When we create the container, docker provides a-v option, which allows users to map the host directory outside the container into the container to facilitate file sharing inside and outside the container.

However, there are conveniences, but the potential risks can also be imagined.

Combined with the above two conveniences, the author thinks of a kind of ordinary users to break through the limits of authority with the help of docker to achieve the purpose of raising rights locally. See the following figure:

Interpretation of power raising

Initially, the test user on the host is a non-sudo group user with only normal permissions. In order to use docker, test users have been added to the docker user group through the administrator in advance.

First, let's create a container with any docker image:

Docker run-it-- rm xxx / bin/bash # General use docker run-it-- rm-v / etc:/etc xxx / bin/bash # abnormal use

The most important point here is the parameter / etc:/etc of the-v option.

We know that the local user information on the linux machine is mainly recorded in the / etc/ directory. For example, two common files / etc/passwd and / etc/group record the basic user attributes and user grouping information, respectively.

A container created normally will also have a / etc directory inside, and the user information inside the container will also be recorded in this directory.

However, I cleverly map the / etc directory on host directly into the container, thus overwriting the / etc directory in the container. In addition, the user in the container defaults to root and has super administrator permissions. As shown in the figure above, a new user test1:adduser test1 is added to the container through the root user in the container, and the user is given sudo permission: usermod-aG sudo test1.

At this point, the role of the docker container is over. Ctrl+D exits the container and returns to host and looks at the basic properties of local users through cat / etc/passwd. I'm sure you can guess what's interesting about doing so. In the figure, I did not check it, but directly su test1, and successfully switched to the users added in the container, that is, the users added in the container were actually added to the host. Use the id command to see that the user has also been synchronously joined to the sudo user group.

In fact, the goal of raising rights has been achieved at this step, and a user test1 with sudo authority has been successfully created by ordinary test users with the help of docker container. The figure only adds one step, adding test to the sudo user group with the help of test1, but the effect is the same.

Of course, instead of adding test1 users, you can directly add test users to sudo user groups in the container, because test users are also visible to the container and can directly manipulate the group to which they belong, as shown below:

Finally, you can also see that test has been added to the sudo user group on host. One of the reasons I didn't check it with the id command at this time is that linux's shell does not automatically update the current user information, so you can exit Terminal and re-enter.

Note: if you do not reconnect at this time, test users still cannot use the sudo command. Problem influence

In this case where multiple users share a machine with the help of docker, ordinary users can easily be promoted to sudo users with the help of docker, thus they can carry out various malicious operations such as arbitrarily modifying the system configuration.

The above is the damage of local users is not very obvious, after all, most of the internal users of the company will not carry out malicious operations. However, in many cases, for the convenience of ordinary users, the user password is often very simple. If the attacker violently cracked the ordinary user's weak password in other ways, he can easily prompt the administrator to engage in unrestricted malicious operations. This also greatly reduces the difficulty of the attacker's attack.

Evasive measures

The docker creation container is created as root by default. The reason why ordinary users can create containers is this docker user group, so we should avoid using this practice. For multiple users who want to use a container, you can create a container with ssh service enabled by the administrator, and provide port mapping to host, so that ordinary users can enter the container through the ssh link. In this way, the activity scope of ordinary users can be limited to the container, and any user's actions will not spread to the host.

On how to use the Docker container to raise rights to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.