Use No New Privileges flag to restrict additional access

Step 1

Create Dockerfile: echo 'FROM benhall/strace-ubuntu:latest' >> 1_Dockerfile echo 'ADD 1_testnnp /testnnp' >> 1_Dockerfile echo 'RUN chmod u+s /testnnp' >> 1_Dockerfile echo 'CMD ["/testnnp"]' >> 1_Dockerfile

Download Command: curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/1_testnnp && chmod +x 1_testnnp

Build: docker build -f 1_Dockerfile -t new-priv-1 .

Run: docker run -u 1000 new-priv-1

Is that the output you expected?

Step 2

Create Dockerfile: echo 'FROM benhall/strace-ubuntu:latest' >> 2_Dockerfile echo 'ADD 2_setuid /setuid' >> 2_Dockerfile echo 'ADD 2_suid.sh /tmp/suid.sh' >> 2_Dockerfile echo 'RUN chmod u+s /setuid /tmp/suid.sh' >> 2_Dockerfile echo 'CMD ["/setuid"]' >> 2_Dockerfile

Download Command: curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/2_setuid && chmod +x 2_setuid

curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/2_suid.sh && chmod +x 2_suid.sh

Build: docker build -f 2_Dockerfile -t new-priv-2 .

Run: docker run -u 1000 new-priv-2

Is that the output you expected? How could you secure the user gaining root access?

Step 3

What happens when you add --security-opt=no-new-privileges ?

docker run -u 1000 --security-opt=no-new-privileges new-priv-1

docker run -u 1000 --security-opt=no-new-privileges new-priv-2

cd <directory>	Change directory
ls	List directory
echo 'contents' > <file>	Write contents to a file
cat <file>	Output contents of file

i	In Command Mode	Change into Insert Mode, you can now insert and edit text in the file
esc	In Insert Mode	Change into Command Mode, you can now execute commands
:wq	In Command Mode	Save and Exit

Welcome!

Docker Security - Use No New Privileges flag to restrict additional access

Congratulations!

You've completed the scenario!

Scenario Rating

Steps