undefined | Better HN

0 pointsMichaelBurge9y ago0 comments

All those Docker commands usually run as root or something equivalent to root. So a container breakout could lead to root on the host system.

I think kordless is claiming that using Docker here could increase the severity of an attack; otherwise it doesn't seem like putting up another barrier could hurt security, even if it is later broken.

0 comments

2 comments · 2 top-level

kordless9y ago

My claim would be applied to all virtualized environments, including containers and VMs - not just Docker. Microkernels have a decent shot at keeping the security issue at bay, but even then it can't keep them out forever.

Everything falls to hacking eventually. That's the nature of it, at least till now.

I would note that Docker is primarily a tool for developers and operations folk who are also the author of the software being run. Docker itself is not the risk here, but using it for some use cases may very well be.

arno19y ago

I would say, using a Docker would move the vector of attack to a Docker engine and a Linux kernel implementation of cgroups, naming spaces.

But it would still help in preventing such bugs as https://github.com/valvesoftware/steam-for-linux/issues/3671

HN discussion: https://news.ycombinator.com/item?id=8896186

j / k navigate · click thread line to collapse