This is exactly why you should not run random docker images and snaps. Docker images are also run as root in many cases. It is better to build app images from scratch and understand what exactly goes into the image.
People tend to take docker images at roughly the same level of audit as a large open source package installed from their favorite repository without realizing that those two things are entirely different.
They feel it is a convenient binary distribution format for software.
Don't run random Docker or Vagrant Boxes seems to be something that isn't really emphasized by the providers of these services.
I ran into this realization the other day. I wanted to give Mint a try. I run over to Vagrant's site which prominently displays a "Discover Boxes" link. But gives zero indication from the main site that these Boxes are not provided by any kind of official maintainer or Hashicorp itself but are community uploads I suppose... at least I can't find any vetted information about who the uploader's are and why I should trust them.
This should be a big read flag in the quick start guide that screams: Don't just download any old box from our site and then load it up with all your customer data and put it into production. Instead it's buried deep in the documentation: https://www.vagrantup.com/docs/vagrant-cloud/boxes/catalog.h...
Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.
Beyond that, numerous escape exploits in linux containerization (and docker specifically) have popped up over the years, and many more are going to pop up over the coming years. This is not a mature space.
Running random binary code distributed from an non-curated source, even in a "container" is going to end in heartache.
And that’s why you should usually build your own images, and only trust docker images from the same people whose binaries you’d also trust with all your data.
(e.g. a docker image from RedHat may be okay, one from zhenghe8 likely not)
> Those random docker images are rarely used in isolation. They typically handle your data and often your customers data.
Thank you. This is something that I truly hate Google for. They constantly spread this mentality that isolation = nothing bad can ever happen to your data. And then they build a horrible permission system on top of that idea and leave everything else up to the user.
And as a result, the Google Play Store and Chrome Store are the most malware-filled app stores that I'm aware of.
Despite that, you still had people giving Firefox shit for not isolating add-ons, which however were thoroughly reviewed and as a result quite clearly less often subject to malicious intents.
And then something like the Web of Trust fiasco, where the add-on as a feature sends your browsing history out to the internet and then bad things happen there (the WoT devs sold the browsing data in an anonymized form that was shown to be deanonymizable rather easily), against that neither isolation nor a review can help, so we shouldn't act like any security technique is perfect. We still need users to think for themselves, even if that's bad for Google's business model.
I have used the following image[1] on a server of my old company where we had a problem and no one with privileges was available. It gives you a root shell. I added my public key to the authorized_keys of root.
They feel it is a convenient binary distribution format for software.