How to restrict access to path in Docker container?

Question

Here I've written a Dockerfile for testing user access. The other file (run.sh) is on this link

Up to here, I've done this:

1. From Ubuntu 12.04.05, make a new container with sudo and ssh server.
2. Change defaults root password to 'root'
3. Create a test directory '/app' and a file inside called 'lalal' with a sample string.
4. Create user 'devops' and add sudo capabilities to it so as to start ssh service.
5. Configure the run.sh script to start the ssh service at startup and change to 'devops' to the default user.

Operations with docker:

• To build: docker build testuser/testuser:v1 -f ./Dockerfile .
• To run: docker run -d -P --name testuser -p 22:22 testuser/testuser:v1
• To see the logs: docker logs testuser
• To run a bash: docker exec -i -t bash
• To run a bash with root user: docker exec -i -t -user=root bash

Up to running a bash with devops user there is no problem due to the restrictions given to /app directory but when I run bash with root user I can do whatever I want and the devops user is useless. How can I correct this security hole?

Answer 1

As mentioned in issue 8664:

If someone has access to Docker, they have access to your entire system, can join namepsaces, etc.
Disabling docker exec would not enhance security at all.

If you can run docker exec, you can run it as root in any running container. That is not a bug or a security risk. That is a feature.

From issue 8798:

I think exec is mostly useful for debugging a container and therefore it is necessary to be able to exec as root.

The OP Agustín Alba Chicar confirms (in the comments) with issue 18640
(Brian Goff -- cpuguy83's answer)

No.
By convention, any user with access to docker has full root access to the host, which makes root access to the container moot.

Docker now has an authorization framework in master, which can be used to limit this sort of access. It will be available in Docker 1.10.