Skip to content

nomeata/safe-docker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 

Repository files navigation

safe-docker

This script runs a given command in a docker image, and tries to enforce the following security measures:

  • The container is fresh, and removed after execution
  • The command is run as the user and group invoking sudo; it fails to run if it not invoked via sudo or by root.
  • Only the current directory is writable
  • Only the additional paths given on the command line are readable (--dir)
  • Changes to the current directory are preserved
  • Upon SIGTERM (or any other signal), the container is killed

The docker image name is hardcoded in the script (safe-docker). If it were a command line flag, the userwho can run this script could start a malicious image downloaded from the internet.

The option --timeout specifies a timeout in seconds, after which the container is killed, and the special return value of 23 is returned.

The option --memory does the same for memory usage. On Debian machines, this requires the kernel parameters cgroup_enable=memory swapaccount=1. Returns 24 when OOM occurs.

The option --ulimit sets ulimits for the container and expects a key-value pair separated by an equal sign (=). This option can be specified multiple times.

Not much is expected from the docker image. But some programs do not like it when the current user id has no name (e.g. those using whoami). If you need to run these, you need to add the user to your image’s /etc/passwd, and ensure that it has the same uid as the calling user.

Environment variables are not passed through (which would also depend on sudo doing that), but you can prefix the command with env VAR=value cmd.

This script should be copied to, say, /usr/local/bin and made read-only for the user running it. Then the targetting user must get sudo permissions to run it, e.g. by adding the following lines via visudo:

# Praktomat may use safe-docker
praktomat ALL= NOPASSWD: /usr/local/bin/safe-docker

It requires some perl libraries to be installed. On Debian and Ubuntu, run

apt-get install libipc-run-perl libdata-guid-perl

About

Sandbox untrusted code using docker

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages