3

I have been unable to find any help online for this simple mistake I made, so I was looking for some help. I am using a server to run a docker image in a container and I mistyped and have caused an annoyance for myself. I ran the command

docker run --rm -v typo:location docker_name

and since I had a typo with the directory to mount it created a directory on the host machine, and when the container ended the directory remained. I tried to remove it, but i just get the error

rm -rf typo/
rm: cannot remove 'typo': Permission denied

I know now that I should have used --mount instead of -v for safety, but the damage is done; how can I remove this directory without having access to the container that created it?

I apologize in advance, my knowledge of docker is quite limited. I have mostly learned it only to use a particular image and I do a bunch of Google searches to do the rest.

Josh B.
  • 157
  • 7
  • You should be able to use `sudo` to get root permissions. The syntax you show `docker run -v name:/container/path` creates a Docker _named volume_ that doesn't have an accessible location on the host, though; `docker volume rm typo` would delete it. – David Maze Sep 21 '21 at 18:42
  • @DavidMaze So, I do not have `sudo` permissions, so that option is not viable for me. The command `docker volume rm typo` returns with the error `Error: No such volume: typo`. From here, I don't know how to proceed. – Josh B. Sep 22 '21 at 15:07

1 Answers1

4

The first rule of Docker security is, if you can run any docker command at all, you can get unrestricted root access over the entire host.

So you can fix this issue by running a container, running as root and bind-mounting the parent directory, that can delete the directory in question:

docker run \
  --rm \
  -v "$PWD:/pwd" \
  busybox \
  rm -rf /pwd/typo

I do not have sudo permissions

You can fix that

docker run --rm -v /:/host busybox vi /host/etc/sudoers

(This has implications in a lot of places. Don't indiscriminately add users to a docker group, particularly on a multi-user system, since they can trivially get root access. Be careful publishing the host's Docker socket into a container, since the container can then root the host; perhaps redesign your application to avoid needing it. Definitely do not expose the Docker socket over the network.)

David Maze
  • 130,717
  • 29
  • 175
  • 215
  • This was exactly what I needed; binding the mount and removing from the docker worked. Thank you so much! – Josh B. Sep 23 '21 at 19:25