You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is an enhancement to increase security in case somebody can exploit SSHD or segfaultsh:
Have a separate container where the sf-scheduler runs. Listen on a socket.
Let SSHD drop into a dummy programm that connects to the socket and forward the SECRET to the sf-scheduler
SSHD connects stdin/stdout etc.
scheduler starts user container
This way any vulnerability in sshd or segfaultsh would not allow attacker to gain root on host via docker.socket.
thanks for mochaaP for a great discussion.
The best solution would be to implement a docker-docker firewall that intercepts any commands on the docker socket(regex) and only allows certain commands.
It's easily done but needs man-power to write the code. (I guess i can be done in 120 lines of python).
The text was updated successfully, but these errors were encountered:
This is an enhancement to increase security in case somebody can exploit SSHD or segfaultsh:
thanks for mochaaP for a great discussion.
The best solution would be to implement a docker-docker firewall that intercepts any commands on the docker socket(regex) and only allows certain commands.
It's easily done but needs man-power to write the code. (I guess i can be done in 120 lines of python).
The text was updated successfully, but these errors were encountered: