0

Summary:
I am using python to start Nvidia docker containers to run ML tasks with my GPU. This seems to require the container to have root level privileges. To do this programmatically I have a python string assembler which makes the docker runtime string.

IE: sudo docker run --gpus All ...
Executed by: os.system(runString)

I have updated this string generator to include f"echo {SUDOPASS} | sudo -S..." as a method of not requiring sudo every time a need for a docker container comes around. Some of my jobs run for hours with multiple containers in use.

Issue:
So my issue is that this approach just feels wrong. My code execution vulnerability alert is shrieking in my head. It feels so easy for someone to abuse this by adjusting the string generator or some other method. I would someday like to post this to git and not worry about my code being used to insert crap. As docker, python and linux are ubiquitous and I have seen others approach this issue in parts I was wondering if anyone might have some best practices advice?

aris-t
  • 151
  • 8
  • You probably should need to be root to be able to run `docker run -v /:/host busybox vi /host/etc/shadow` to reset the host root user's password and take over the box. If that doesn't bother you, does the setup in [How to fix docker: Got permission denied issue](https://stackoverflow.com/questions/48957195/how-to-fix-docker-got-permission-denied-issue) help? (And yes, you should never ever construct a command string that way; maybe prefer the [Docker SDK for Python](https://docker-py.readthedocs.io/) over scripting `docker` commands.) – David Maze Apr 30 '22 at 09:56
  • Thanks David, as I said I am looking for suggestion for how to do what works for me in a safe way as I do realize what I am doing is bad form. I have looked into the Docker Python SDK but it seems I still need to run the python as Root to use it. That just made more of my program a security issue. – aris-t May 08 '22 at 02:48

0 Answers0