Docker has so many usages and applications. It's pretty safe as long as you run your processes as non-privileged users, but, in practice, basic container security is often skipped.
The Docker paradox
Paradoxically, using Docker should increase the level of security, as you don't run applications on the host directly but in isolated containers instead.
The problems come when some frameworks or manual [mis]configurations do not limit the capabilities used by these containers, sometimes allowing root privileges only for convenience, just to make the whole thing work.
It should remain pretty rare now, but if a container requires the --privileged
flag or uses the default setup, it's usually a red sign.
The appropriate flag is --user
associated with an unprivileged or limited account.
Avoid the Docker escape
Escaping from a misconfigured Docker environment is a classic scenario in CTFs (Capture the flag events) and penetration tests.
It's not uncommon such vulnerable containers interact with the kernel as root, hence the high risk.
Best security practices
While the OWASP cheat sheet for Docker Security is not the only resource available, it's one of the best ones, as it uses simple words to explain complex concepts and gives practical recommendations.
Dev teams need magic
Theoretically, you're supposed to take the best decisions, ensuring you're not doing it wrong, and mastering all technologies you use.
In practice, critical mistakes happen all the time, even when you care, and it's not a question of "rookie vs. Jedi," as many devs often rely on other layers' magic to deliver. That's pretty much how it works.
You can't anticipate all the risks, but before fetching any git repository or copy/pasting some random Dockerfile, remember basic principles like the least privilege.
Programs that run as you get the same privileges, and it's even more sensitive if it asks for root access.
Root privileges are not always evil, but many apps simply ask way more rights than necessary.
Wrap up
In a nutshell, be "root-less." While this problem is not specific to Docker, and the proper configuration might require efforts and tests, it's required for both compliance and security.