Docker Security: Best Practices for your Vessel and Containers

Docker Security Everything you need to know about Docker security.   Introduction into Docker Docker became very popular in a matter of just a few years. Operating systems like CoreOS use Docker to power the system by running applications on top of their own lightweight platform. Docker in its turn, provides utilities around technologies like Linux container technology (e.g. LXC, systemd-nspawn, libvirt). Previously Docker could be described as the “automated LXC”, now it’s actually even more powerful. What it definitely […]

Read more

Linux capabilities 101

Security of Linux systems and applications can be greatly improved by using hardening measures. One of these measures is called Linux capabilities. Capabilities are supported by the kernel for some while now. Using capabilities we can strengthen applications and containers. Unfortunately, this powerful tool is still underutilized. Time to change that! This article helps to understand and apply them. What are Linux capabilities? Normally the root user (or any ID with UID of 0) gets a special treatment when running processes. […]

Read more

Linux Capabilities: Hardening Linux binaries by removing setuid

Linux Capabilities Hardening Linux binaries by removing setuid Normally Unix based systems use two kind of processes: privileged and unprivileged. The first category is usually used for administrative purposes, like starting and stopping other processes, tuning the kernel and opening sockets. Root permissions The command ping is a great example why even small programs needs root permissions. In a first glance you might consider this tool to be simple: send a package to a host and see if it responds. The […]

Read more

How and why Linux daemons drop privileges

How and why Linux daemons drop privileges In this article we have a look at the privileges of Linux daemons and dropping privileges in particular. The samples provided are in C. Why drop privileges? Some daemons need root permissions to start. This happens for example when a daemon wants to bind to a low port (<1024). However running network based daemons with root permissions is considered to be a serious risk. In case of compromise of the process, an attacker […]

Read more