5

Is the root user in a Docker image/container the same as the root user of the machine? I am curious about the security implications of using the root user in the Docker image.

TMK, the container is run by a non-root user (often the user is called "docker") and that user launched the docker-dameon. And the docker daemon launches the container process.

Alexander Mills
  • 395
  • 1
  • 3
  • 11

1 Answers1

3

No the root in container is a root-user of container. Remember containers runs isolated. DOcker uses cgroups and libvirt of kernel linux.

Vader
  • 466
  • 3
  • 15
  • Hold on, if you just run a docker container and you are UID 0 in that container, and (as an example) you have mounted in some root owned files into the container then my understanding was that without adding the additional security mechanisms provided by docker (and most container management interfaces) such as selinux or user namespaces etc. that you would be able to behave as UID 0 with regards to doing things to those files that were root owned on the host. – hvindin Feb 29 '20 at 02:06
  • @hvindin that sounds accurate. here is one thing to consider though - platforms like GCP or AWS don't do nothin to stop you using USER root in a Dockerfile, if you could jump out of the container on their platforms then they wouldn't be happy but sounds secure enough, and they prevent you from jumpin out by not sharing root volumes maybe idk. – Alexander Mills Dec 16 '20 at 22:49
  • @hvindin is correct, the UID is the same both inside and outside the container. Any files created would be owned by root, and any files accessed are checked against UID 0 for access permissions. Docker's security model considers programs inside a container as potential threat, but entirely trusts whoever is running the docker run command.

    From https://docs.docker.com/engine/security/#docker-daemon-attack-surface, "only trusted users should be allowed to control your Docker daemon". Anyone who can run docker has root access to the host device.

     – Eldritch Cheese Aug 29 '21 at 01:30