1 개요[ | ]
- 카타코더 도커보안 - Use No New Privileges flag to restrict additional access
2 Step 1[ | ]
Dockerfile 생성
[root@host01 ~]# echo 'FROM benhall/strace-ubuntu:latest' >> 1_Dockerfile
[root@host01 ~]# echo 'ADD 1_testnnp /testnnp' >> 1_Dockerfile
[root@host01 ~]# echo 'RUN chmod u+s /testnnp' >> 1_Dockerfile
[root@host01 ~]# echo 'CMD ["/testnnp"]' >> 1_Dockerfile
[root@host01 ~]#
다운로드
[root@host01 ~]# curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/1_testnnp && chmod +x 1_testnnp
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 191 100 191 0 0 710 0 --:--:-- --:--:-- --:--:-- 710
100 8605 100 8605 0 0 17005 0 --:--:-- --:--:-- --:--:-- 17005
빌드
[root@host01 ~]# docker build -f 1_Dockerfile -t new-priv-1 .
Sending build context to Docker daemon 20.48kB
Step 1/4 : FROM benhall/strace-ubuntu:latest
latest: Pulling from benhall/strace-ubuntu
6d28225f8d96: Pull complete
166102ec41af: Pull complete
d09bfba2bd6a: Pull complete
c80dad39a6c0: Pull complete
a3ed95caeb02: Pull complete
b668194b0fb4: Pull complete
Digest: sha256:edbf5bff42c0858def0393e69b9e1538bb3433f0793e4c74501f3590a4aad454
Status: Downloaded newer image for benhall/strace-ubuntu:latest
---> 789c7821c0df
Step 2/4 : ADD 1_testnnp /testnnp
---> 7bd11886105f
Step 3/4 : RUN chmod u+s /testnnp
---> Running in 8ffa2470e4e9
Removing intermediate container 8ffa2470e4e9
---> cffe19fe6718
Step 4/4 : CMD ["/testnnp"]
---> Running in ee94acf9260a
Removing intermediate container ee94acf9260a
---> 9512ba020b6f
Successfully built 9512ba020b6f
Successfully tagged new-priv-1:latest
실행
[root@host01 ~]# docker run -u 1000 new-priv-1
Effective uid: 0
3 Step 2[ | ]
Dockerfile 생성
[root@host01 ~]# echo 'FROM benhall/strace-ubuntu:latest' >> 2_Dockerfile
[root@host01 ~]# echo 'ADD 2_setuid /setuid' >> 2_Dockerfile
[root@host01 ~]# echo 'ADD 2_suid.sh /tmp/suid.sh' >> 2_Dockerfile
[root@host01 ~]# echo 'RUN chmod u+s /setuid /tmp/suid.sh' >> 2_Dockerfile
[root@host01 ~]# echo 'CMD ["/setuid"]' >> 2_Dockerfile
[root@host01 ~]#
다운로드
[root@host01 ~]# curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/2_setuid && chmod +x2_setuid
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 190 100 190 0 0 791 0 --:--:-- --:--:-- --:--:-- 791
100 8823 100 8823 0 0 12461 0 --:--:-- --:--:-- --:--:-- 35292
[root@host01 ~]# curl -LO https://github.com/katacoda/oscon2016-docker-perf-sec/raw/master/tutorial/2_Security/3_no-new-privileges/2_suid.sh && chmod +x 2_suid.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 191 100 191 0 0 622 0 --:--:-- --:--:-- --:--:-- 622
100 132 100 132 0 0 263 0 --:--:-- --:--:-- --:--:-- 0
빌드
[root@host01 ~]# docker build -f 2_Dockerfile -t new-priv-2 .
Sending build context to Docker daemon 32.26kB
Step 1/5 : FROM benhall/strace-ubuntu:latest
---> 789c7821c0df
Step 2/5 : ADD 2_setuid /setuid
---> c7745de64137
Step 3/5 : ADD 2_suid.sh /tmp/suid.sh
---> 9f7abe19f797
Step 4/5 : RUN chmod u+s /setuid /tmp/suid.sh
---> Running in 0ed7e8a55dc7
Removing intermediate container 0ed7e8a55dc7
---> 7cd7f13d9262
Step 5/5 : CMD ["/setuid"]
---> Running in 550fb295448a
Removing intermediate container 550fb295448a
---> 05cef7e288a6
Successfully built 05cef7e288a6
Successfully tagged new-priv-2:latest
실행
[root@host01 ~]# docker run -u 1000 new-priv-2
effective user-ID:
root
real user-ID:
root
group ID:
root
4 Step 3[ | ]
[root@host01 ~]# docker run -u 1000 --security-opt=no-new-privileges new-priv-1
Effective uid: 1000
[root@host01 ~]# docker run -u 1000 --security-opt=no-new-privileges new-priv-2
effective user-ID:
1000
real user-ID:
1000
id: cannot find name for user ID 1000
id: cannot find name for user ID 1000
group ID:
root
로그인하시면 댓글을 쓸 수 있습니다.
{{ comment.name }}
{{ comment.created | snstime }}
-
{{comment.page_title}} ―{{comment.name}}