https://www.baszerr.eu/ Wed, 06 May 2026 11:51:28 +0000 FeedCreator 1.8 https://www.baszerr.eu/lib/exe/fetch.php?media=wiki:dokuwiki.svg https://www.baszerr.eu/ https://www.baszerr.eu/doku.php?id=blog:2016:09:20:root_via_docker <h1 class="sectionedit1" id="root_via_docker">2016-09-20 - root via docker</h1> <div class="level1"> <p> <a href="https://www.baszerr.eu/lib/exe/detail.php?id=blog%3A2016%3A09%3A20%3Aroot_via_docker&amp;media=blog:2016:09:20:docker_logo.png" class="media" title="blog:2016:09:20:docker_logo.png"><img src="https://www.baszerr.eu/lib/exe/fetch.php?w=400&amp;tok=2c78d9&amp;media=blog:2016:09:20:docker_logo.png" class="mediaright" align="right" loading="lazy" title="docker&#039;s logo" alt="docker&#039;s logo" width="400" /></a> </p> <p> there are a lot of discussions regarding docker and its security features. there are two main aspects here: </p> <ol> <li class="level1"><div class="li"> can application, started as a non-root, inside a container, escape from it?</div> </li> <li class="level1"><div class="li"> can we gain root access by having an access to docker?</div> </li> </ol> <p> in this post i&#039;d like to quickly answer 2nd question. just try this one out: </p> <pre class="code bash">docker run <span class="re5">-it</span> <span class="re5">--rm</span> <span class="re5">-v</span> <span class="sy0">/</span>etc<span class="sy0">/</span>:<span class="sy0">/</span>mnt debian:stable <span class="kw2">sed</span> <span class="re5">-i</span> <span class="sy0">/</span>mnt<span class="sy0">/</span>shadow <span class="st_h">'s#^root:.*#root:YOUR_PROPERLY_ENCODED_PASSWORD_GOES_HERE:0:0:99999:7:::'</span> <span class="kw3">exit</span> <span class="kw2">su</span> <span class="co0"># type in your new password</span></pre> <p> and voila – you&#039;re root now. </p> <p> how does it work? it&#039;s simple – we&#039;re mapping content of /etc/ from root filesystem (docker&#039;s daemon can access it) as /mnt inside our (temporary) container. inside the container, with root privileges, we edit <em>shadow</em> file, to set our own password. </p> <p> is it the only way to go? definitely NO! some more examples follow: </p> <ul> <li class="level1"><div class="li"> map the whole / to /mnt and do <em>chroot</em> into there – root there is!</div> </li> <li class="level1"><div class="li"> export device with a filesystem to a container (eg. <em>–device=/dev/sda</em>) and mount/hex-edit it there – and root there is!</div> </li> <li class="level1"><div class="li"> map any directory you want to /mnt and just steal/change what you need w/o leaving additional traces.</div> </li> </ul> <p> …and probably many more, alike. i think you get the point. </p> <p> <strong>long story short – giving any user access to docker daemon means effectively giving her a root access.</strong> </p> </div> anonymous@undisclosed.example.com (Anonymous) Tue, 15 Jun 2021 20:09:21 +0000