Skip to main content

Docker, Linux: Disable Docker commands for a user but allow him running a Docker container

· 3 min read
Yaroslav Grebnov
Yaroslav Grebnov
Golang developer, SDET

A tutorial of how to create an environment with Docker commands disabled for a particular user, but with a possibility for this user to run a Docker container on a Linux (CentOS8) machine.

The solution is based on usage of a restricted shell with modifications disabling some of well-known possibilities to break out from it.

  1. Create a user with restrictions:
sudo adduser ruser
  1. Set a password for ruser (type the password twice):
sudo passwd ruser
  1. Create a restricted shell:
sudo cp /bin/bash /bin/rbash
  1. Modify ruser settings. Force him to use restricted shell:
sudo usermod -s /bin/rbash ruser
  1. Verify correctness of ruser settings in /etc/passwd:
sudo cat /etc/passwd

There should be a line containing:

ruser:...:/home/ruser:/bin/rbash
  1. Create a directory which will contain commands available for ruser:
mkdir /home/ruser/commands
  1. Modify PATH environment variable in ruser’s .bash_profile:
vi /home/ruser/.bash_profile

Add the following line to the bottom of the file:

export PATH=$HOME/commands
  1. Log in as ruser (or execute a su):
su - ruser
  1. Verify that the majority of commands are not available for ruser:
cd

as the shell is restricted, outputs:

-rbash: cd: restricted
ls

as ls is absent in /home/ruser/commands, outputs:

-rbash: ls: command not found
docker

just like for ls, due to the fact that docker is absent from /home/ruser/commands, outputs:

-rbash: docker: command not found

rbash and vi commands do not work either:

-rbash: rbash: command not found
-rbash: vi: command not found

trying to modify PATH variable does not work:

export PATH=/bin

outputs:

-rbash: PATH: readonly variable

  1. Login as a user with sudo privileges

  2. Create a script allowing ruser to run a Docker container:

vi /home/ruser/commands/runContainer

Add the following code to the runContainer file:

#!/bin/bash
export PATH=/bin
docker run -it someImageID
  1. Add ruser to docker group:
sudo usermod -aG docker ruser

  1. Log in as ruser

  2. Execute runContainer command:

runContainer

Observe that the interactive bash shell has been executed on the container.

  1. Exit from the container:
exit
  1. Verify that the PATH contains /home/ruser/commands:
echo $PATH
  1. Verify that the docker command in the runContainer file cannot be executed:
docker run -it someImageID

outputs:

-rbash: docker: command not found

In case you have a question or a comment concerning this tutorial, please send it to: [email protected].