re: Docker: Restricting in- and outbound network traffic VIEW POST

TOP OF THREAD FULL DISCUSSION
re: No, your container still run as root. Use USER instruction in your docker file. When you launch container, you add --privileged option. This will ...

Jap, that is true BUT the actual application gets executed as a non-privileged user (see ENTRYPOINT script).

With other words: Yes, the container is running as root (otherwise it wouldn‘t be possible to configure the iptable rules), but the application (in this case „curl“) runs as a non-privileged user.

The respective line is:

sudo su <user> sh -c <command>

Neither of us are native English speaker. But I want to state that your idea is wrong.

First, do iptables change in the host. You don't have to do it inside the container. Then you don't need to be user root in Dockerfile.

Secondly, your container still runs as root and launch with --privileged options. Anyone with docker group permission can go inside your container. Then he can access /dev. Do whatever read/write on your hardware/software device freely. This is a typical privilege escalation. Don't you agree with me?

Thirdly, you don't need to say you switch account. I can read. But it doesn't change the fact that your container still run as root.

Again, if you don't get it, it is fine. I'm done with my explanation.

But I hope you should remove this blog and stop misleading others.

This is very important to keep our Internet safe.

code of conduct - report abuse