zlacker

[return to "A story on home server security"]
1. smarx0+P4[view] [source] 2025-01-05 13:38:36
>>todsac+(OP)
Docker has a known security issue with port exposure in that it punches holes through the firewall without asking your permission, see https://github.com/moby/moby/issues/4737

I usually expose ports like `127.0.0.1:1234:1234` instead of `1234:1234`. As far as I understand, it still punches holes this way but to access the container, an attacker would need to get a packet routed to the host with a spoofed IP SRC set to `127.0.0.1`. All other solutions that are better seem to be much more involved.

◧◩
2. geye12+db[view] [source] 2025-01-05 14:45:14
>>smarx0+P4
I am not a security person at all. Are you really saying that it could potentially cause Iptables to open ports without an admin's knowing? Is that shockingly, mind-bogglingly bad design on Docker's part, or is it just me?

Worse, the linked bug report is from a DECADE ago, and the comments underneath don't seem to show any sense of urgency or concern about how bad this is.

Have I missed something? This seems appalling.

◧◩◪
3. tomjen+VR[view] [source] 2025-01-05 20:23:41
>>geye12+db
To run Docker, you need to be an admin or in the Docker group, which warns you that it is equivalent to having sudo rights, AKA be an admin.

As for it not being explicitly permitted, no ports are exposed by default. You must provide the docker run command with -p, for each port you want exposed. From their perspective, they're just doing exactly what you told them to do.

Personally, I think it should default to giving you an error unless you specified what IPs to listen to, but this is far from a big of an issue as people make it out to be.

The biggest issue is that it is a ginormous foot gun for people who don't know Docker.

◧◩◪◨
4. diggan+2W[view] [source] 2025-01-05 20:58:19
>>tomjen+VR
I don't remember the particular syntax, but isn't there a different to binding a port on the address the container runs on, VS binding a port on the host address?

Maybe it's the difference between "-P" and "-p", or specifying both "8080:8080" instead of "8080", but there is a difference, especially since one wouldn't be reachable outside of your machine and the other one would be on worse case trying to bind 0.0.0.0.

◧◩◪◨⬒
5. johnta+Dj1[view] [source] 2025-01-06 00:49:19
>>diggan+2W
You can specify the interface address to listen on, like "127.0.0.1:8080:8080" or "192.168.1.100:8080:8080". I have a lot of containers exposed like this but bind specifically to a vpn ip on the host so that they don't get exposed externally by default.
◧◩◪◨⬒⬓
6. diggan+Vg2[view] [source] 2025-01-06 12:45:29
>>johnta+Dj1
The trouble is that docker seems to default to using 0.0.0.0, so if you do `docker run -it -p 8080 node:latest` for example, now that container accepts incoming connections on port :32768 or whatever docker happens to assign it, which is bananas default behavior.
[go to top]