{"id":27300092,"url":"https://github.com/nicdesousa/docker-userns-enforcement-plugin","last_synced_at":"2026-05-19T07:05:37.231Z","repository":{"id":207919977,"uuid":"219477424","full_name":"nicdesousa/docker-userns-enforcement-plugin","owner":"nicdesousa","description":"Docker User Namespaces Enforcement Plugin","archived":false,"fork":false,"pushed_at":"2020-02-18T15:54:35.000Z","size":561,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2023-11-18T13:40:05.239Z","etag":null,"topics":["authz","docker","enforcement","plugin","secutiry","userns-remap"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"unlicense","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nicdesousa.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-11-04T10:42:30.000Z","updated_at":"2023-11-18T13:40:20.439Z","dependencies_parsed_at":"2023-11-18T13:50:13.703Z","dependency_job_id":null,"html_url":"https://github.com/nicdesousa/docker-userns-enforcement-plugin","commit_stats":null,"previous_names":["nicdesousa/docker-userns-enforcement-plugin"],"tags_count":0,"template":null,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicdesousa%2Fdocker-userns-enforcement-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicdesousa%2Fdocker-userns-enforcement-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicdesousa%2Fdocker-userns-enforcement-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nicdesousa%2Fdocker-userns-enforcement-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nicdesousa","download_url":"https://codeload.github.com/nicdesousa/docker-userns-enforcement-plugin/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248501895,"owners_count":21114681,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authz","docker","enforcement","plugin","secutiry","userns-remap"],"created_at":"2025-04-12T00:51:33.297Z","updated_at":"2025-10-26T12:03:13.463Z","avatar_url":"https://github.com/nicdesousa.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Docker User Namespaces Enforcement Plugin\n\n![Go Report Card](https://goreportcard.com/badge/github.com/nicdesousa/docker-userns-enforcement-plugin)\n![GitHub](https://img.shields.io/github/license/nicdesousa/docker-userns-enforcement-plugin)\n[![CodeFactor](https://www.codefactor.io/repository/github/nicdesousa/docker-userns-enforcement-plugin/badge)](https://www.codefactor.io/repository/github/nicdesousa/docker-userns-enforcement-plugin)\n[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=nicdesousa_docker-userns-enforcement-plugin\u0026metric=alert_status)](https://sonarcloud.io/dashboard?id=nicdesousa_docker-userns-enforcement-plugin)\n\nThis project provides a simple Docker authorization plugin that prevents the running of containers with userns-mode set to host (`--userns=host`) when [Docker user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) is enabled.\n\n## Background\n- [\"Privilege escalation\" when starting the Docker daemon with user namespaces enabled](https://github.com/moby/moby/issues/32624)\n- [Docker user namespaces](https://docs.docker.com/engine/security/userns-remap/)\n- [Docker daemon attack surface](https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface)\n\nThe use of \"Docker user namespaces\" is **not** a solution to the widely known \"*anyone with access to the Docker daemon effectively has root permissions on the host*\" problem.\n\n**This is because users can disable Docker user namespaces for any container by adding the `--userns=host` flag to the `docker container create`, `docker container run`, or `docker container exec` commands.** [See the Docker documentation](https://docs.docker.com/engine/security/userns-remap/#disable-namespace-remapping-for-a-container)\n\n```bash\n$ id\nuid=1001(testuser) gid=1001(testuser) groups=1001(testuser),974(docker)\n$ grep testuser /etc/sub?id\n/etc/subgid:testuser:165536:65536\n/etc/subuid:testuser:165536:65536\n$ cat /etc/docker/daemon.json \n{\n    \"userns-remap\": \"testuser\"\n}\n...\n# Daemon-configured (default) user namespace:\n$ docker run -it --rm --volume=\"/:/mnt/hostfs\" fedora /bin/bash\n[root@1d135f34d711 /]# cd /mnt/hostfs/root/\nbash: cd: /mnt/hostfs/root/: Permission denied\n...\n# User-specified user namespace:\n$ docker run -it --rm --volume=\"/:/mnt/hostfs\" --userns=host fedora /bin/bash\n[root@b6441243f429 /]# cd /mnt/hostfs/root/\n[root@b6441243f429 root]# \n...\n# Solution provided by this plugin:\n$ docker run -it --rm --volume=\"/:/mnt/hostfs\" --userns=host fedora /bin/bash\ndocker: Error response from daemon: authorization denied by plugin deny-userns-mode-host: userns=host is not allowed.\nSee 'docker run --help'.\n```\n\n## Installation and configuration of the plugin\n\n1. Download and compile the plugin source code:\n```bash\n$ go get github.com/nicdesousa/docker-userns-enforcement-plugin\n```\n2. Copy the `docker-userns-enforcement-plugin` binary to a suitable directory:\n```bash\n$ sudo cp $GOPATH/bin/docker-userns-enforcement-plugin /usr/local/bin\n```\n3. Create a systemd service and socket file for the plugin:\n\n`/etc/systemd/system/docker-userns-enforcement-plugin.service`\n```bash\n[Unit]\nDescription=Docker User Namespaces Enforcement Plugin\nBefore=docker.service\nAfter=network.target docker-userns-enforcement-plugin.socket\nRequires=docker-userns-enforcement-plugin.socket docker.service\n\n[Service]\nExecStart=/usr/local/bin/docker-userns-enforcement-plugin\n\n[Install]\nWantedBy=multi-user.target\n```\n`/lib/systemd/system/docker-userns-enforcement-plugin.socket`\n```bash\n[Unit]\nDescription=Docker User Namespaces Enforcement Plugin\n\n[Socket]\nListenStream=/run/docker/plugins/deny-userns-mode-host.sock\n\n[Install]\nWantedBy=sockets.target\n```\n\nEnable the plugin:\n```bash\n# systemctl daemon-reload\n# systemctl enable --now docker-userns-enforcement-plugin\n```\n4. Configure the Docker daemon to use the plugin:\n\n`/etc/docker/daemon.json`\n```bash\n{\n    \"authorization-plugins\": [\"deny-userns-mode-host\"],\n    \"userns-remap\": \"testuser\"\n}\n```\n\nRestart the docker service:\n```bash\n# systemctl restart docker\n```\n\n5. Test with the examples provided in the Background section.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicdesousa%2Fdocker-userns-enforcement-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnicdesousa%2Fdocker-userns-enforcement-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnicdesousa%2Fdocker-userns-enforcement-plugin/lists"}