From b0fd4f882fd9b8c38a004395ea44b32f06431345 Mon Sep 17 00:00:00 2001 From: LIZAO LI Date: Fri, 31 Jul 2015 16:26:40 -0500 Subject: [PATCH] add: best practice for security when sharing host directories. Closes and carries PR #15210 Updating with Seb's comment Signed-off-by: Mary Anthony --- docs/userguide/dockervolumes.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/userguide/dockervolumes.md b/docs/userguide/dockervolumes.md index ef15fa0cbb..f2572422fa 100644 --- a/docs/userguide/dockervolumes.md +++ b/docs/userguide/dockervolumes.md @@ -141,11 +141,21 @@ $ docker run -d -P --name web -v /src/webapp:/opt/webapp:ro training/webapp pyth Here we've mounted the same `/src/webapp` directory but we've added the `ro` option to specify that the mount should be read-only. +Because of [limitations in the `mount` +function](http://lists.linuxfoundation.org/pipermail/containers/2015-April/ +035788.html), moving subdirectories within the host's source directory can give +access from the container to the host's file system. This requires a malicious +user on the host with root access or with access to the Docker socket. Access to +the Docker socket is equivalent to being privileged/root on the host. If your +systems defines a `docker` group, be aware all its members have the necessary +privileges to exploit this. + >**Note**: The host directory is, by its nature, host-dependent. For this >reason, you can't mount a host directory from `Dockerfile` because built images >should be portable. A host directory wouldn't be available on all potential >hosts. + ### Mount a host file as a data volume The `-v` flag can also be used to mount a single file - instead of *just*