0

I am currently prototyping Docker hosted on WSL and Ubuntu that will be located on a compliant workstation. Being an early prototype, we want it setup heavily restricted to side step compliancy.

Now a piece of the puzzle is being able to restrict users to only a few commands that will allow them to accomplish their job. For example, can I use Unix permissions to restrict Docker commands such as: docker network create and flags such as --privileged, --mount, etc? The goal here is to deploy a specific configuration and ensure that it cannot be changed by non-admin users. Thank you.

NickHayMan
  • 1
  • 1
    The classic Linux answer is that anyone who can run any `docker` command can very easily root the entire host, and correspondingly it's a poor match for a shared system with users without sudo permissions. [Docker root access to host system](https://stackoverflow.com/questions/41991905/docker-root-access-to-host-system) has some discussion of this. I don't know if WSL improves things at all. – David Maze Jun 29 '22 at 21:31
  • Thank you for the article David, it looks like utilizing user namespaces can prevent the host filesystem vulnerability but that is not specifically what I am going after. A container root breach isn't a huge concern as these will be purely local subsystems running Docker, and if WSL gets compromised it doesn't have a large affect on the Windows host. My primary goal is to restrict a Docker user to the bare minimum in terms of capability. Such as: docker pull, docker run, docker push, etc. User namespaces seem like a step in mitigating the filesystem issue. – NickHayMan Jun 29 '22 at 22:40
  • "My primary goal is to restrict a Docker user to the bare minimum in terms of capability. Such as: docker pull [...]" `docker pull` can be harmful and lead to disk space denial of service (but don't know how wsl handle this). – Dr Claw Jun 30 '22 at 02:34

0 Answers0