카타코더 도커보안 - Use No New Privileges flag to restrict additional access

[root@host01 ~]# echo 'FROM benhall/strace-ubuntu:latest' >> 1_Dockerfile
[root@host01 ~]# echo 'ADD 1_testnnp /testnnp' >> 1_Dockerfile
[root@host01 ~]# echo 'RUN chmod u+s /testnnp' >> 1_Dockerfile
[root@host01 ~]# echo 'CMD ["/testnnp"]' >> 1_Dockerfile
[root@host01 ~]#

[root@host01 ~]# curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/1_testnnp && chmod +x 1_testnnp
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   191  100   191    0     0    710      0 --:--:-- --:--:-- --:--:--   710
100  8605  100  8605    0     0  17005      0 --:--:-- --:--:-- --:--:-- 17005

[root@host01 ~]# docker build -f 1_Dockerfile -t new-priv-1 .
Sending build context to Docker daemon  20.48kB
Step 1/4 : FROM benhall/strace-ubuntu:latest
latest: Pulling from benhall/strace-ubuntu
6d28225f8d96: Pull complete
166102ec41af: Pull complete
d09bfba2bd6a: Pull complete
c80dad39a6c0: Pull complete
a3ed95caeb02: Pull complete
b668194b0fb4: Pull complete
Digest: sha256:edbf5bff42c0858def0393e69b9e1538bb3433f0793e4c74501f3590a4aad454
Status: Downloaded newer image for benhall/strace-ubuntu:latest
 ---> 789c7821c0df
Step 2/4 : ADD 1_testnnp /testnnp
 ---> 7bd11886105f
Step 3/4 : RUN chmod u+s /testnnp
 ---> Running in 8ffa2470e4e9
Removing intermediate container 8ffa2470e4e9
 ---> cffe19fe6718
Step 4/4 : CMD ["/testnnp"]
 ---> Running in ee94acf9260a
Removing intermediate container ee94acf9260a
 ---> 9512ba020b6f
Successfully built 9512ba020b6f
Successfully tagged new-priv-1:latest

[root@host01 ~]# docker run -u 1000 new-priv-1
Effective uid: 0