Docker security

Container breakouts : Abusing DAC_READ_SEARCH capability

If a container has DAC_READ_SEARCH capability provided, it can bypass file read permission checks and directory read and execute permission checks. Using a mounted file in a container, it's possible to get access on files in the host system.

In the following video, an attacker leverages DAC_READ_SEARCH capability provided in the container to retrieve the files stored on the host system. Using SSH service and the content of /etc/passwd and /etc/shadow files, he succeeds in becoming root on the host.