Runner mounts socket which is $bad #4

New Issue

Open

opened 2021-03-16 08:44:14 +00:00 by decentral1se · 0 comments

decentral1se commented 2021-03-16 08:44:14 +00:00

Owner

Copy Link

As we now know from https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers, it is a considerable attack vector to expose the docker socket to other containers. We do this for the runner in e54a564923/compose.yml (L8) because this runner spawns its own containers. That actually can't be avoided I would say. Maybe we need to consider moving the runner to its own machine which is locked down away from other apps.

/cc @kawaiipunk

As we now know from https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-1-do-not-expose-the-docker-daemon-socket-even-to-the-containers, it is a considerable attack vector to expose the docker socket to other containers. We do this for the runner in https://git.autonomic.zone/coop-cloud/drone-docker-runner/src/commit/e54a5649237c3dfcd0ba16b580739578fc0a757e/compose.yml#L8 because this runner spawns its own containers. That actually can't be avoided I would say. Maybe we need to consider moving the runner to its own machine which is locked down away from other apps. /cc @kawaiipunk

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

1.1.2+1.8.3

1.1.1+1.8.2

1.1.0+1.8.1

1.0.0+1.6.3

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/drone-docker-runner#4

No description provided.