Docker root access to host system

Question

When I run a container as a normal user I can map and modify directories owned by root on my host filesystem. This seems to be a big security hole. For example

Answer 1

You're missing that containers run as uid 0 internally by default. So this is expected. If you want to restrict the permission more inside the container, build it with a USER statement in Dockerfile. This will setuid to the named user at runtime, instead of running as root.

Note that the uid of this user it not necessarily predictable, as it is assigned inside the image you build, and it won't necessarily map to anything on the outside system. However, the point is, it won't be root.

Refer to Dockerfile reference for more information.