[atemerev]

I am not a pentesting expert. My first reaction is to leave everything as is, as it is a very cool to play with root access to docker containers (I managed to reboot one, but a new one immediately appeared on page reload).

My worst concern now would be network security. With root access, it is trivial to e.g. install spambots in all your containers (just checked, command execution works, and external network access is enabled). I think it is a good idea to at least disable networking. (Update: and use a minimal Docker image like Alpine Linux).

Proof:

[__REDACTED__]

[opportune]

I agree with this. What's to stop me from opening a bunch of the containers and using them to DDOS someone or to send out spam emails? I'm already playing around with system commands and they seem to be entirely unrestricted.

Basically I can run any bash script, as is, with

    import sys.process._
    "BASH_COMMAND" !!

And I seem to be able to at least cause the containers to endlessly restart quite simply.

[masgui]

Yeah disabling networking was an idea. I prefer to leave it open so you can try http client/libraries that access the web. To limit spam, if it becomes an issue we could throttle the connection.