Running Docker in Rootless Mode in Amazon Linux 2023

ACM.458 Limiting the permission of the docker service to help reduce the damage caused by a process injection attack

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics. The Code.

🔒 Related Stories: AppSec | Secure Code | AWS Security | Container Security

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the last post I summarized the credential and roles used by the 2nd Sight Lab Job Execution Framework.

In this post, I’m going to show how to run docker in rootless mode on Amazon Linux 2023.

First let’s install docker and see what we find.

sudo yum install docker

Type y to proceed above. When the installation is finished, check your docker version:

docker --version

Ok now start docker.

Notice that if you try start docker as a non-root user it fails:

systemctl start docker

You have to use sudo (or in other words run it with root privileges:

sudo systemctl start docker

Now we can run a command to find out information about the user associated with our docker service:

sudo ps -aux | grep docker

Here you can tell that the docker service is running as the root user.

It used to be that the docker service required execution as root. That meant if anything got ahold of your docker service executing on your host, it could do anything the root user can do on the machine.

How might someone “get ahold of your docker service”? There are various ways but one might be process injection. Due to some vulnerability, malware gets onto your system and can inject a subprocess that is associated with the docker service running on your host. That subprocess inherits the permission of the service it associates itself with.

Now there’s something called rootless mode, which runs in user namespace or in other words with additional constraints not applied to the root user on your system. If an attacker injects code into this process then it will only be able to do what the user running docker can do. In production systems you’ll want to create a user specifically for docker and limit the permissions to those docker needs to function.

There are a few things you won’t be able to do if you run in rootless mode documented above, but my needs seem to be pretty simple so I’m going to try it out.

We have to fulfill some prerequisites.

You must install newuidmap and newgidmap on the host. These commands are provided by the c package on most distros.

How do I know if those packages are installed? Well I tried this:

sudo yum list installed | grep uidmap

Nothing came up.

Just for fun I tested installing it with yum, which as expected did not work.

I found this page which shows how to install newuidmap on just about every OS but the one I’m using:

https://laramatic.com/how-to-install-newuidmap-on-debian-ubuntu-alpine-arch-kali-fedora-and-raspbian/

Well I started looking for information on Centos which is probably most similar to Amazon Linux and found this:

I checked to see if shadow-utils is installed and it is.

Also I found the packages in /usr/bin.

ls /usr/bin

Alright let’s see if we can continue. I’m going to guess that the Centos 8 commands will work:

I read that dnf is the default package manager on Amazon Linux 2023, though the yum commands still seem to be working.

Well this initial command doesn’t work:

I know ip tables is already installed.

I proceed without and hope that it works.

I’m going to disable docker socket as recommended:

sudo systemctl disable --now docker.service docker.socket

I don’t see the packages so I try the “Without packages” option.

I got a lot more output than the above and it looks like I need to tweak my colors a bit more:

I run the command to get the version of docker and it’s working:

I can run this command to get information about services running docker:

sudo ps -aux | grep docker

Looks like they are all running as ec2-user instead of root:

If you weren’t aware, ec2-user is the default user on Amazon Linux.

There are a number of recommendations and best practices in the rest of the documentation on that page. I leave it as an exercise to the reader to go through all that and see if any of it applies to you.

I hope to get around to showing you how to create an image that does all this for you automatically as time allows.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2024

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab