I'm trying to look at Docker through a security point of view. Can I restrict user access to my docker container?
I know that a user who isn't in the sudoers list cannot access docker. But, is it possible to obtain container-level access restriction?
for example, user1 and user2 both have sudo privileges and can run docker containers. But, can a container be created in such a way that it is accessible to user1, but restricted to user2?
Any help is appreciated, thanks in advance!
If a user has sudo privileges, they can effectively access anything on the host, including all devices, files and containers. They could also just sudo to the other user.
Related
I'm designing a game server service using Kubernetes. I decided that the most suitable volume structure for me was hostPath. As a result of my research, I saw that the use of hostPath would cause security problems.
I will create a folder for each pod. And I will link this folder to the pod with hostPath. Users will not have root privileges in the pod. They will be able to start java process with non-root user inside.
Does it really create a security vulnerability for me?
I saw a recommendation in an article on website security that separate websites running on a web server should be running under separate users for containment, and to limit a breach on one site leading to infection of the other sites.
I am running an Ubuntu 20.04 LAMP server with public internet exposed personal websites. They are set up as virtual hosts in Apache under /var/www/, but all are running using the standard www-data:www-data user and group. How would it work to run them under different user accounts?
Do I simply create a new user & group, then chown the /var/www/directory to be owned by that user? How would that work with allowing Apache permissions to write to the sub-dirs then for patches, uploads, etc?
Apache has it's own user and group (www-data or others according to the distribution it's runnin on). To achieve what you want, you need to create a user for each virtualhost and make sure apache can read/write file/folders owned by this new user for example putting apache group into the new user's group (or the other way around, according to how you want to handle permissions).
The logic "behind" is exactly the same you use to handle linux users and group permissions.
I want to give read-write access to a specific folder in Azure VM to someone from his/her machine at home. I do not want him to give access to login to the machine, but some way so he/she can reach the directory and make changes. Any ideas?
I do not want him to give access to login to the machine, but some way
so he/she can reach the directory and make changes. Any ideas?
According to your description, maybe we can deploy FTP on that VM. In this way, he/she can access this folder on internet, we can give them read-write permission.
Here a similar case about how to deploy FTP on windows server, please refer to it.
Docker daemon runs as root. Once we add a user to the Docker group, he can launch any docker container even privileged containers. This seems to be a serious security issue.
Is there a way of limiting some users in the Docker group to not be able to run privileged containers?
There is currently no way to restrict access to privileged containers. This is why, for example, Fedora has dropped the docker group (because granting access to docker is effectively just like granting passwordless sudo access).
If you want to provide "docker-as-a-service", you probably want to put something like in front of it like Kubernetes, which provides only indirect access to the Docker API and can be configured to permit or deny the use of privileged containers.
Many Docker users are enforcing and restricting SElinux by changing the domain of Docker users "SecurityContext"
Is it possible to set-up Jenkins security in a way that, when accessed from the internal network the user will be assigned Admin privileges, and when accessed from the outside it would require a log-in?
Thank you.
Short answer: no, because Jenkins does not expose client (web browser) information to scripts, so you don't know what network they come from.