From 383fd7fba84678603e47e4ad4ddc01ecb6e0b916 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Thu, 31 Mar 2022 00:33:39 +0200 Subject: [PATCH] typo --- content/posts/docker-hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index a62cdd6..5fae1b6 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -58,7 +58,7 @@ As an image maintainer, you can sign your images to improve the authenticity ass ## Leave my root alone! ### Attack surface -Traditionnaly, Docker runs as a daemon owned by root. That also means that root in the container is actually the root on the host and may be a few commands away from compromising the host. More generally, the attacker has to exploit the available attack surface to escape the container. There is a huge attack surface, actually: the Linux kernel. [Someone wise once said](https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability): +Traditionally, Docker runs as a daemon owned by root. That also means that root in the container is actually the root on the host and may be a few commands away from compromising the host. More generally, the attacker has to exploit the available attack surface to escape the container. There is a huge attack surface, actually: the Linux kernel. [Someone wise once said](https://grsecurity.net/huawei_hksp_introduces_trivially_exploitable_vulnerability): > The kernel can effectively be thought of as the largest, most vulnerable setuid root binary on the system.