Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am new to the docker. I am trying to disable direct root login into the container. For that I did few things but unable to fix it any input will help a lot
I can login directly from user and user into the sudoers but when put user as Root then I login directly
Quote:
Quote:
root@ip-10-11-175-238:~# docker exec -it 9ec767e2c4ae /bin/bash
dpant@9ec767e2c4ae:/$ ls -la /root
ls: cannot open directory '/root': Permission denied
dpant@9ec767e2c4ae:/$
I can obstruct the Root from the first option where I have set password on root and also on the user which sudo access, But when I try from Root then all everything is open for me I want to deploy the container on other environment but no one can access it
I am new to the docker. I am trying to disable direct root login into the container. For that I did few things but unable to fix it any input will help a lot
I can login directly from user and user into the sudoers but when put user as Root then I login directly
I can obstruct the Root from the first option where I have set password on root and also on the user which sudo access, But when I try from Root then all everything is open for me I want to deploy the container on other environment but no one can access it
Regards Dk
*AGAIN*, as you have been asked MANY times, put things in CODE tags...not sure why that's an issue.
And you *AGAIN* omit anything in the way of details, such as anything about this system, or the 'few things' that you actually did try....do you expect us to guess? Start with the Docker documentation: https://docs.docker.com/engine/security/seccomp/
Can also run the image as a different user, but again...ANYONE can type in "su - " and if they know the root password, escalate things. What, exactly, are you trying to accomplish??
Can also run the image as a different user, but again...ANYONE can type in "su - " and if they know the root password, escalate things. What, exactly, are you trying to accomplish??
From my side I think it is the usual xy-problem, but I have no idea about the original issue and also I think it is just a bad design, but without details hard to say anything.
From my side I think it is the usual xy-problem, but I have no idea about the original issue and also I think it is just a bad design, but without details hard to say anything.
Totally agree. Not enough info to do anything with.
Actually, I have two websites with python and another on react. Both are hosted on docker through the jenkins pipeline and everything is working fine.
Now we need to deploy the same container into the other environment using our jenkins pipeline. Therefore, we made the connectivity. But now the challenge is that they didn't want to share their code with anyone. Therefore, I am trying to block the Root direct access on the container.
I try to with chattr but it is also not working also try to remove the root nologin but nothing works.
I think container is required root privilege to bring up all the service.
Quote:
FROM ubuntu:latest
RUN apt-get update && apt-get -y install sudo
RUN apt-get update && apt-get install -y openssh-server
RUN echo "rootocker!" | chpasswd
RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
USER dpant
CMD /bin/bash
RUN touch /home/dpant/testing
RUN echo "hello world" > /home/dpant/testing
RUN chattr +i /home/dpant/testing
~
Quote:
chsh -s /usr/sbin/nologin root
Quote:
Sending build context to Docker daemon 3.072kB
Step 1/10 : FROM ubuntu:latest
---> 27941809078c
Step 2/10 : RUN apt-get update && apt-get -y install sudo
---> Using cache
---> 38c511cc70d8
Step 3/10 : RUN apt-get update && apt-get install -y openssh-server
---> Using cache
---> c084e975f28d
Step 4/10 : RUN echo "rootocker!" | chpasswd
---> Using cache
---> 6ef1c1a0763b
Step 5/10 : RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
---> Using cache
---> 9219222f2996
Step 6/10 : USER dpant
---> Using cache
---> 77276ce995b4
Step 7/10 : CMD /bin/bash
---> Using cache
---> 3bc167c22966
Step 8/10 : RUN touch /home/dpant/testing
---> Using cache
---> 222ee7f258e1
Step 9/10 : RUN echo "hello world" > /home/dpant/testing
---> Using cache
---> 79ccfb6980af
Step 10/10 : RUN chattr +i /home/dpant/testing
---> Running in 528d399a26a5
chattr: Operation not permitted while setting flags on /home/dpant/testing
The command '/bin/sh -c chattr +i /home/dpant/testing' returned a non-zero code: 1
Right...as you've said many times before, and *STILL* haven't done.
Quote:
Code:
FROM ubuntu:latest
RUN apt-get update && apt-get -y install sudo
RUN apt-get update && apt-get install -y openssh-server
RUN echo "rootocker!" | chpasswd
RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
USER dpant
CMD /bin/bash
RUN touch /home/dpant/testing
RUN echo "hello world" > /home/dpant/testing
RUN chattr +i /home/dpant/testing
Code:
chsh -s /usr/sbin/nologin root
Sending build context to Docker daemon 3.072kB
Step 1/10 : FROM ubuntu:latest
---> 27941809078c
Step 2/10 : RUN apt-get update && apt-get -y install sudo
---> Using cache
---> 38c511cc70d8
Step 3/10 : RUN apt-get update && apt-get install -y openssh-server
---> Using cache
---> c084e975f28d
Step 4/10 : RUN echo "rootocker!" | chpasswd
---> Using cache
---> 6ef1c1a0763b
Step 5/10 : RUN useradd -m dpant && echo "dpant:dpant@123" | chpasswd && echo 'dpant ALL=(ALL) ALL' > /etc/sudoers.d/dpant
---> Using cache
---> 9219222f2996
Step 6/10 : USER dpant
---> Using cache
---> 77276ce995b4
Step 7/10 : CMD /bin/bash
---> Using cache
---> 3bc167c22966
Step 8/10 : RUN touch /home/dpant/testing
---> Using cache
---> 222ee7f258e1
Step 9/10 : RUN echo "hello world" > /home/dpant/testing
---> Using cache
---> 79ccfb6980af
Step 10/10 : RUN chattr +i /home/dpant/testing
---> Running in 528d399a26a5
chattr: Operation not permitted while setting flags on /home/dpant/testing
The command '/bin/sh -c chattr +i /home/dpant/testing' returned a non-zero code: 1
Actually, I have two websites with python and another on react. Both are hosted on docker through the jenkins pipeline and everything is working fine. Now we need to deploy the same container into the other environment using our jenkins pipeline. Therefore, we made the connectivity. But now the challenge is that they didn't want to share their code with anyone. Therefore, I am trying to block the Root direct access on the container. I try to with chattr but it is also not working also try to remove the root nologin but nothing works. I think container is required root privilege to bring up all the service.
Again, you omit things...who is "they", and "their code"??? Did you read the Docker documentation about security, and did you pay attention to the fact that even though you disable root logins, you can *STILL* type in "sudo" or "su" as a regular user, and get root privileges?
So you want to run that code without allowing to inspect it? I guess docker is not the right way to do that. By the way, what kind of code (language) is it? I'm afraid you have two possibilities: 1. put that code into the docker image, in that case it will be available (obviously within and together with that image). 2. do not share that code and it will not be accessible.
It is also worth mentioning here that "root access," in the specific context of a container, is "just part of the overall illusion."
The host does not actually perceive that the process is running with uid=0, yet the process perceives that it is the master of its own world. (In fact, it has no idea what its host-side uid/gid "actually" is ... It neither knows nor cares 'how the trick is done,' nor even that a 'trick' is being performed.)
"Inside the phone booth, Clark Kent believes that he is Superman, because it appears that he can fly. And that is good enough for him."
Note also that some containerization technologies do give you the very-dangerous option to allow this status to be(!!!)"host-side actual," with all of the dreadful implications that this portends. But, AFAIK, "Docker is not one of them."
Last edited by sundialsvcs; 08-18-2022 at 09:23 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.