Is your container isolated from your internal network?
If I were to compromise your container, I’d immediately pivot to other systems on your private network.
Why do the difficult thing of breaking out of a container when there’s a good chance I can use the credentials I got breaking in to your container to access other systems on your network?
Technus@lemmy.zip 3 weeks ago
No. Docker containers aren’t a full sandbox. There’s a number of exploits that can break out of a container and gain root access to the host.
kurikai@lemmy.world 3 weeks ago
Rootless podman helps
possiblylinux127@lemmy.zip 3 weeks ago
Yes and no
Breaking out of docker in a real life context would require either a massive misconfiguration or a major security vulnerability. Chances are you aren’t going to have much in the way of lateral movement but it is always good to have defense in depth.
Technus@lemmy.zip 3 weeks ago
If someone’s self-hosting, I’d be willing to bet they don’t have the same hardened config or isolation that a cloud provider would.
possiblylinux127@lemmy.zip 3 weeks ago
Docker restricts the permissions of software running in the container. It is hardened by default and you need to manually grant permissions in some rare cases.