From a security perspective: Is it necessary that a user, that runs OCI containers with Podman, is not at the same time a member of the
From what I understand the idea behind Podman is to re-map the user ids, such that the root user within the container is equivalent to the user on the host. The security concept is better because if a user can take over the container and break out, the user is not automatically root user on the host (given that the process within the container was started as the container’s root user).
Now if the user on the host is in the
docker group it should be equivalent of having root access as stated in the Docker post-installation guide:
The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
So if an attacker breaks out of a container managed by Podman, and at the same time the user who started the container is in the
docker group, the security gain should be none compared to managing containers with Docker. Is this correct?
Yes, I'd say that your assertion here is correct. Gaining access to an account which is a member of the Docker group on a host (absent other custom protections) will allow the attacker to escalate their privileges to be root on the host.
Typically podman is used for developer systems rather than running production services, which would usually be done with something like CRI-O, in that kind of environment.
It's possibly worth noting that it is possible to run Docker in a rootless mode similar to podman, which may mitigate this kind of issue.
Answered by Rory McCune on February 13, 2021
Get help from others!