Disable root access directly

pantdk · 08-12-2022, 04:43 AM

I am new to the docker. I am trying to disable direct root login into the container. For that I did few things but unable to fix it any input will help a lot

I can login directly from user and user into the sudoers but when put user as Root then I login directly

Quote:

root@ip-10-11-175-238:~# docker exec -it 9ec767e2c4ae /bin/bash
dpant@9ec767e2c4ae:/$ ls -la /root
ls: cannot open directory '/root': Permission denied
dpant@9ec767e2c4ae:/$

root@ip-10-11-175-238:~# docker exec -it --user root 2fba98d9d60e /bin/bash root@2fba98d9d60e:/home/ubuntu#

I can obstruct the Root from the first option where I have set password on root and also on the user which sudo access, But when I try from Root then all everything is open for me I want to deploy the container on other environment but no one can access it

Regards Dk

TB0ne · 08-12-2022, 08:51 AM

Quote:

Originally Posted by pantdk

I am new to the docker. I am trying to disable direct root login into the container. For that I did few things but unable to fix it any input will help a lot

I can login directly from user and user into the sudoers but when put user as Root then I login directly

Code:

root@ip-10-11-175-238:~# docker exec -it  9ec767e2c4ae /bin/bash
dpant@9ec767e2c4ae:/$ ls -la /root
ls: cannot open directory '/root': Permission denied
dpant@9ec767e2c4ae:/$

root@ip-10-11-175-238:~# docker exec -it --user root 2fba98d9d60e /bin/bash root@2fba98d9d60e:/home/ubuntu#

I can obstruct the Root from the first option where I have set password on root and also on the user which sudo access, But when I try from Root then all everything is open for me I want to deploy the container on other environment but no one can access it

Regards Dk

*AGAIN*, as you have been asked MANY times, put things in CODE tags...not sure why that's an issue.

And you *AGAIN* omit anything in the way of details, such as anything about this system, or the 'few things' that you actually did try....do you expect us to guess? Start with the Docker documentation:
https://docs.docker.com/engine/security/seccomp/

Can also run the image as a different user, but again...ANYONE can type in "su - " and if they know the root password, escalate things. What, exactly, are you trying to accomplish??

pan64 · 08-12-2022, 10:27 AM

Quote:

Originally Posted by TB0ne

Can also run the image as a different user, but again...ANYONE can type in "su - " and if they know the root password, escalate things. What, exactly, are you trying to accomplish??

From my side I think it is the usual xy-problem, but I have no idea about the original issue and also I think it is just a bad design, but without details hard to say anything.

TB0ne · 08-12-2022, 01:54 PM

Quote:

Originally Posted by pan64

From my side I think it is the usual xy-problem, but I have no idea about the original issue and also I think it is just a bad design, but without details hard to say anything.

Totally agree. Not enough info to do anything with.

pantdk · 08-12-2022, 03:31 PM

Sorry "TB0ne" to miss the CODE tags.

Actually, I have two websites with python and another on react. Both are hosted on docker through the jenkins pipeline and everything is working fine.
Now we need to deploy the same container into the other environment using our jenkins pipeline. Therefore, we made the connectivity. But now the challenge is that they didn't want to share their code with anyone. Therefore, I am trying to block the Root direct access on the container.
I try to with chattr but it is also not working also try to remove the root nologin but nothing works.

I think container is required root privilege to bring up all the service.

Quote:

FROM ubuntu:latest
RUN apt-get update && apt-get -y install sudo
RUN apt-get update && apt-get install -y openssh-server
RUN echo "root

ocker!" | chpasswd
RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
USER dpant
CMD /bin/bash
RUN touch /home/dpant/testing
RUN echo "hello world" > /home/dpant/testing
RUN chattr +i /home/dpant/testing

~

Quote:

chsh -s /usr/sbin/nologin root

Quote:

Sending build context to Docker daemon 3.072kB
Step 1/10 : FROM ubuntu:latest
---> 27941809078c
Step 2/10 : RUN apt-get update && apt-get -y install sudo
---> Using cache
---> 38c511cc70d8
Step 3/10 : RUN apt-get update && apt-get install -y openssh-server
---> Using cache
---> c084e975f28d
Step 4/10 : RUN echo "root

ocker!" | chpasswd
---> Using cache
---> 6ef1c1a0763b
Step 5/10 : RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
---> Using cache
---> 9219222f2996
Step 6/10 : USER dpant
---> Using cache
---> 77276ce995b4
Step 7/10 : CMD /bin/bash
---> Using cache
---> 3bc167c22966
Step 8/10 : RUN touch /home/dpant/testing
---> Using cache
---> 222ee7f258e1
Step 9/10 : RUN echo "hello world" > /home/dpant/testing
---> Using cache
---> 79ccfb6980af
Step 10/10 : RUN chattr +i /home/dpant/testing
---> Running in 528d399a26a5
chattr: Operation not permitted while setting flags on /home/dpant/testing
The command '/bin/sh -c chattr +i /home/dpant/testing' returned a non-zero code: 1

TB0ne · 08-13-2022, 10:18 AM

Quote:

Originally Posted by pantdk

Sorry "TB0ne" to miss the CODE tags.

Right...as you've said many times before, and *STILL* haven't done.

Quote:

Code:

FROM ubuntu:latest
RUN apt-get update && apt-get -y install sudo
RUN apt-get update && apt-get install -y openssh-server
RUN echo "rootocker!" | chpasswd
RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
USER dpant
CMD /bin/bash
RUN touch /home/dpant/testing
RUN echo "hello world" > /home/dpant/testing
RUN chattr +i /home/dpant/testing

Code:

chsh -s /usr/sbin/nologin root

Sending build context to Docker daemon 3.072kB
Step 1/10 : FROM ubuntu:latest
---> 27941809078c
Step 2/10 : RUN apt-get update && apt-get -y install sudo
---> Using cache
---> 38c511cc70d8
Step 3/10 : RUN apt-get update && apt-get install -y openssh-server
---> Using cache
---> c084e975f28d
Step 4/10 : RUN echo "rootocker!" | chpasswd
---> Using cache
---> 6ef1c1a0763b
Step 5/10 : RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
---> Using cache
---> 9219222f2996
Step 6/10 : USER dpant
---> Using cache
---> 77276ce995b4
Step 7/10 : CMD /bin/bash
---> Using cache
---> 3bc167c22966
Step 8/10 : RUN touch /home/dpant/testing
---> Using cache
---> 222ee7f258e1
Step 9/10 : RUN echo "hello world" > /home/dpant/testing
---> Using cache
---> 79ccfb6980af
Step 10/10 : RUN chattr +i /home/dpant/testing
---> Running in 528d399a26a5
chattr: Operation not permitted while setting flags on /home/dpant/testing
The command '/bin/sh -c chattr +i /home/dpant/testing' returned a non-zero code: 1

Actually, I have two websites with python and another on react. Both are hosted on docker through the jenkins pipeline and everything is working fine. Now we need to deploy the same container into the other environment using our jenkins pipeline. Therefore, we made the connectivity. But now the challenge is that they didn't want to share their code with anyone. Therefore, I am trying to block the Root direct access on the container. I try to with chattr but it is also not working also try to remove the root nologin but nothing works. I think container is required root privilege to bring up all the service.

Again, you omit things...who is "they", and "their code"??? Did you read the Docker documentation about security, and did you pay attention to the fact that even though you disable root logins, you can *STILL* type in "sudo" or "su" as a regular user, and get root privileges?

pan64 · 08-13-2022, 12:54 PM

Quote:

Originally Posted by pantdk

they didn't want to share their code with anyone.

So you want to run that code without allowing to inspect it? I guess docker is not the right way to do that. By the way, what kind of code (language) is it? I'm afraid you have two possibilities: 1. put that code into the docker image, in that case it will be available (obviously within and together with that image). 2. do not share that code and it will not be accessible.

sundialsvcs · 08-18-2022, 09:12 AM

It is also worth mentioning here that "root access," in the specific context of a container, is "just part of the overall illusion."

The host does not actually perceive that the process is running with uid=0, yet the process perceives that it is the master of its own world. (In fact, it has no idea what its host-side uid/gid "actually" is ... It neither knows nor cares 'how the trick is done,' nor even that a 'trick' is being performed.)

"Inside the phone booth, Clark Kent believes that he is Superman, because it appears that he can fly. And that is good enough for him."

Note also that some containerization technologies do give you the very-dangerous option to allow this status to be(!!!) "host-side actual," with all of the dreadful implications that this portends. But, AFAIK, "Docker is not one of them."