Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
0
-
Description
Problem Definition
If the user has permissions enough to create new plans, he can attach volumes to Docker runner containers without any restriction.
This raises a security concern since if Docker is running as root, a folder with sensitive data inside the host machine can be mounted on this container and the files will/can be manipulated with root permissions.
Suggested Solution
It would be a good idea if only Bamboo admins could specify the volumes that can be attached to the Docker Runner container.