So, they will be accessible to the intruder.Īnother issue is related to the user under which the build process of a docker image is executed. The owner UID of files that belong to the host root will be 0 in the container. If a container is compromised and the container is executed as root (uid = 0), then the intruder has access to any file of the host filesystem that has been loaded to the container filesystem through a mount. Let’s have a look in a few cases.įirst of all, security issues may rise in a production system. This, in combination with the fact that the default user under which a container is executed is root, can lead to many different kind of complications or troubles. And because of that the root user on host is the same with the root user in any container (they have the same UID). So, you can have the same UID mapped to different user name in each container or the host. They are managed by external (to the kernel) tools (like /etc/passwd) who map user names to UID and group names to GIDs. User names and group names are not shared! They are not part of the kernel. I am saying “UIDs and GIDs” instead of “users and groups” because the second one is a more generic terminology and I want to point out the difference.
Since there is only one kernel, there is also only one set of UIDs and GIDs for the host and all the containers. Remember that Docker containers share the same kernel with the host (the server where Docker daemon runs). If this sounds strange, it is probably because you lack some basic understanding of how docker works. This file will appear on the host with owner UID equal to y.
The same holds whenever a file is created inside the container by a user with UID equal to y (or a process running under this user). And this will happen no matter if there is a user with UID equal to x inside the container. Whenever we create a file on host using a user with UID x, this files will have x as owner UID inside the container, too. Let me remind you here that file permissions on bind mounts are shared between the host and the containers (of course, there are also a few other ways that file permissions are transferred between host and containers). The whole issue with file permissions in docker containers comes from the fact that the Docker host shares file permissions with containers (at least, in Linux).