[Freeipa-users] client/authentication inside a docker container

Jan Pazdziora jpazdziora at redhat.com
Mon Feb 15 13:39:32 UTC 2016 

On Thu, Feb 04, 2016 at 12:37:07PM -0500, Prasun Gera wrote:
> On Thu, Feb 4, 2016 at 10:56 AM, Jan Pazdziora <jpazdziora at redhat.com>
> wrote:
> 
> > > The goal is to run the
> > > docker container such that when the user calls docker run,
> >
> > Is any user allowed to run docker run? That seems like a security
> > issue.
> 
> Well any user that can do sudo should be able to run docker. Is there a
> security issue with that ?

You need to limit those sudo calls to very specific list of
parameters that can be passed to the docker client, otherwise it has
the potential of running any command.

> > > it just drops
> > > into a shell with the container's environment, but everything else looks
> > > largely the same. i.e. The user gets the same uid:gid and sees the same
> > > directories and permissions as the host.
> >
> > So you want bash started in the container, with the uid:gid of the
> > person invoking the command? If the users are trusted to do docker
> > run, they can do
> >
> >         docker run -u $UID container bash
> >
> > themselves.
> 
> Yes, this is similar to the 3rd point I mentioned. The problem though is
> that directory listings will not show names inside the container. They'll

In that case, having sssd-client package installed in the container and
/var/lib/sss mounted to the container could help.

> only show uids and gids. NIS solves this as a quick hack, but is there
> something better ? Permissions would still work since NFS is not
> kerberized. Another issue I haven't figured out is how the user can get
> sudo inside the container. If you start docker with the user's uid, I don't
> know if there is a safe way for that user to get sudo inside. If you start
> docker in the root shell, you can create the user with the uid:gid, add it
> to sudoers, and then change to the user's shell ?

Yes.

If you have /var/lib/sss mounted and sssd-common (or libsss_sudo
in new versions) installed in the container, you can even use the
sudo rules from IPA.

> > But you likely do not want to give every user a way to run any command,
> > why not just use sudo, and
> >
> >         docker run -u $SUDO_UID container bash
> >
> > in the script invoked with the sudo (untested)?
> 
> I didn't follow this. Can you explain a bit more ? In the default setup,
> you anyway need sudo to run docker.

Not really -- access to docker's Unix socket is all that the docker
client needs.

> What is the -u string here ?

Setting the uid under which the container processes are run back to
the invoking user.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list