Security settings introduced in Portainer 1.24.1

Hi Portainer Fans...

As you would have no doubt already seen, we recently released Portainer 1.24.1 to address some security concerns raised by an external security professional. Full Credit to Iain Smart for reporting the findings (https://twitter.com/smarticu5).

Let me explain the changes, shown below, and why...

1) Disable bind mounts for non-administrators

This security setting has been around for a while, and blocks the ability for non-admin users within Portainer to use bind mounts when creating containers and/or services/stacks. When this is enabled, the option to attach to a host file system path is removed.

2) Disable privileged mode for non-administrators

This security setting has been around for a while, and blocks the ability for non-admin users within Portainer to elevate the privilege of a container to bypass SELinux/AppArmour. When this is enabled, the option to select "Privileged" mode when creating a container is removed.

3) Enable volume management for non-administrators

This security setting has been around for a while, and blocks the ability for non-admin users within Portainer to "browse" persistent volumes, which also removes their ability to upload/download/rename/delete files from within Portainer.

4) Disable the use of host PID 1 for non-administrators

This is a NEW feature, added in 1.24.1, and blocks the ability for non-admin users within Portainer to request that a deployed container operates AS the host PID. This is a security risk if used by a non-trustworthy authorized user as when they operate as PID1, they are in effect able to run any command in the container console as root on the host.

By enabling this feature, the ability to use HOST PID is removed.

5) Disable the use of Stacks for non-administrators

This is a NEW feature added in 1.24.1, and is a "sledgehammer" method to remove any possibility for non-admin users within Portainer to find and use weaknesses in the Docker architecture. Whilst Portainer have provided the ability to disable some of the more common exploits, we cannot possibly block them all as there are any number of capabilities that could be added to a container to attempt to gain access to the host. This feature simply allows an admin to disable all possible entry-points.

6) Disable device mappings for non-administrators

This is a NEW feature added in 1.24.1, and blocks the ability for users to map host devices into containers. Whilst the ability to map devices is generally used for good (eg mapping a GPU into a container), it can equally be used by non-trustworthy authorized users to map a physical storage device into a container. It is possible to mount /dev/sda1 into a container, and then from a console of that container, the user would have complete access to the sda1 device without restriction.  By enabling this feature, Portainer blocks the ability for non-admins to map ANY devices into containers.

 


Leave a comment!

All fields marked with an asterisk* are required.