Security risks of exposing Docker socket in official ShinyProxy image

ShinyProxy
1

Dear everyone,

I have read on several websites that it is dangerous to expose the Docker socket inside a container because it is equivalent to getting root access as soon as the container would be compromised. See, for example, here, here and here.

  1. Do you think it is less secure to run ShinyProxy in the official container because the Docker socket needs to be mounted in it? Why (or why not) would this be the case?
  2. Is the security risk similar as running ShinyProxy directly with a user that belongs to the Docker group (because, according to the official Docker docs, the Docker group has privileges similar to root?
  3. I assume that the entire setup will be safer when running Docker in rootless mode. Is this possible with ShinyProxy?

Thanks in advance for helping out here.

2

Hi, thanks for your interst in ShinyProxy.

Regarding your questions:

  1. There is no big difference in security. If you run ShinyProxy on the host, it must also have access to the docker socket. We do advice to not change the docker settings to run on a TCP port (2375), since then all processes on the server could access the docker API.
  2. Yes
  3. Indeed it would be more secure. I just posted a comment on GitHub with a bit more information: docker rootless support ? · Issue #525 · openanalytics/shinyproxy · GitHub
1 Like