It was reported that it is possible to access builder pod as root when running docker build. It is observed that any commands can be run as root with 'USER root' in Dockerfile. The restricted scc does not seem to prevent this. Builder pods are protected from direct access via 'os rsh' or 'os exec', however, attackers are able to access a builder pod by making the pod initiate a connection and getting a reverse shell in the course of the build process. Product bug (contains reproducer): https://bugzilla.redhat.com/show_bug.cgi?id=1304689
If I can upload my own images to the docker builder, I already get root, don't I? Doesn't docker build run as root? IE RUN dnf -y install foobar
Spoke with Brenton to confirm this is NOTABUG, misunderstanding of how Docker/builds works.
I don't think this is much related to docker itself. s2i build has a mechanism to prevent execution as root by checking uids. The similar thing might be able to be implemented now that the upstream has a card for this: https://trello.com/c/R9Vb9JDo/857-allow-limiting-dockerfiles-used-in-docker-builds-to-only-have-non-root-numeric-user-instructions