1

Is this correct? A random user ID can delete a file owned by root?

docker run -ti -u 1001 debian:stretch I have no name!@2af53be18a40:/$ rm -f /etc/passwd I have no name!@2af53be18a40:/$ ls /etc/passwd ls: cannot access '/etc/passwd': No such file or directory

I think this used to work (i.e. permission denied), although I haven't tried that exact sequence of commands in the past. The results above are from Docker version 1.12.2, build bb80604 running on Stretch.

user7091575
  • 23
  • 5
  • 1
    Oddly, I can't replicate this behavior myself; running the same set of commands locally results in `rm: cannot remove '/etc/passwd': Permission denied`. – larsks Oct 30 '16 at 13:04
  • May depend on Docker version; I've updated the question. – user7091575 Oct 30 '16 at 13:07
  • This is off-topic here I'm afraid, but deleting a file modifies the directory, not the file, so whether you can delete it depends on ownership and access rights of the directory that contains the file, and not the file itself. – Gabor Lengyel Oct 30 '16 at 20:40

1 Answers1

0

Happy to report that this is fixed in Docker 1.23!

user7091575
  • 23
  • 5