Yaroslav Grebnov

Docker, Linux: Disable Docker Commands for a User but Allow Him Running a Docker Container

Posted May 1, 2020 by Yaroslav Grebnov ‐ 2 min read

Task

At a Linux (CentOS8) machine, create an environment with Docker commands disabled for a particular user, but with a possibility for this user to run a Docker container

Solution approach

Use a restricted shell with modifications disabling some of well-known possibilities to break out from it

Solution details

  1. Create a user with restrictions:
sudo adduser ruser
  1. Set a password for ruser (type the password twice):
sudo passwd ruser
  1. Create a restricted shell:
sudo cp /bin/bash /bin/rbash
  1. Modify ruser settings. Force him to use restricted shell:
sudo usermod -s /bin/rbash ruser
  1. Verify correctness of ruser settings in /etc/passwd:
sudo cat /etc/passwd

There should be a line containing:

ruser:...:/home/ruser:/bin/rbash
  1. Create a directory which will contain commands available for ruser:
mkdir /home/ruser/commands
  1. Modify PATH environment variable in ruser’s .bash_profile:
vi /home/ruser/.bash_profile

Add the following line to the bottom of the file:

export PATH=$HOME/commands
  1. Log in as ruser (or execute a su):
su - ruser
  1. Verify that the majority of commands are not available for ruser:
cd

as the shell is restricted, outputs:

-rbash: cd: restricted

ls

as ls is absent in /home/ruser/commands, outputs:

-rbash: ls: command not found

docker

just like for ls, due to the fact that docker is absent in /home/ruser/commands, outputs:

-rbash: docker: command not found

rbash and vi commands do not work either:

-rbash: rbash: command not found
-rbash: vi: command not found

trying to modify PATH variable does not work:

export PATH=/bin

outputs:

-rbash: PATH: readonly variable

  1. Login as a user with sudo privileges

  2. Create a script allowing ruser to run a Docker container:

vi /home/ruser/commands/runContainer

Add the following code to the runContainer file:

#!/bin/bash
export PATH=/bin
docker run -it someImageID
  1. Add ruser to docker group:
sudo usermod -aG docker ruser

  1. Log in as ruser

  2. Execute runContainer:

runContainer

Observe that the interactive bash shell has been executed on the container.

  1. Exit from the container:
exit
  1. Verify that the PATH contains /home/ruser/commands:
echo $PATH
  1. Verify that the docker command in the runContainer file cannot be executed:
docker run -it someImageID

outputs:

-rbash: docker: command not found

In case you have a question or a comment concerning this post, please send them to: