Docker/Podman and LXC linux containers share the same kernel with the host machine. Root in the container is root period. With a exploit to escape the container (which are common) the malicious program has root on the machine. This is a known attack vector against linux containers. VMs are much better for isolating untrusted software from the host OS.
Comment on Security and docker
verstra@programming.dev 1 month agoCan you expand on this wild claim? The whole point of containers is isolation so what you are saying is that containers fail at that all the time?
Lemongrab@lemmy.one 1 month ago
asap@lemmy.world 1 month ago
They might be talking about posts like this (which I would love to have refuted, as this kind of info has so far kept me from using Docker significantly):
security.stackexchange.com/a/169649
ancoraunamoka@lemmy.dbzer0.com 1 month ago
There is nothing to refute, 100% correct