Comment on What actual damage do you secure your servers against? Whats the attack vector?
hirihit640@sh.itjust.works 19 hours agoWith that setup, an attacker could mount the host filesystem to the container and would own the host from that container.
Can you elaborate more on this? Assuming an attacker is in the Jellyfin container with full remote code execution, how could they mount the host filesystem?
It would depend on having access to misconfigured permissions or docker.sock like when you chain containers to manage other containers. Because you have access to docker.sock and that socket can send API calls to the docker daemon (which is run from root) those commands would inherit the same level of access. An attacker could make the API call to mount
/:/rootand then access the host filesystem.It's just an example of how even though the container might not have anything worthwhile, it can be used to laterally move and open another door.
hirihit640@sh.itjust.works 18 hours ago
Got it. Access to docker.sock is definitely something to be wary of, or CAP_ADMIN, or access to certain host devices.
Worth mentioning though that Jellyfin usually has none of these.
Also worth mentioning that Linux recently has had two massive privilege escalation vulnerabilities that bypass system namespacing and thus also provide container escapes.