Skip to content

Security concern about the privileged option in docker session #1160

@rpie9

Description

@rpie9

Bug Description

When the sandbox is endabled, it creates a docker container for executing commands (currently supported in builtin tool StrReplaceEditor). This includes a terminal session with the container which is initialized by the following code:

async def create(self, working_dir: str, env_vars: Dict[str, str]) -> None:
    startup_command = [
        "bash",
        "-c",
        f"cd {working_dir} && "
        "PROMPT_COMMAND='' "
        "PS1='$ ' "
        "exec bash --norc --noprofile",
    ]

    exec_data = self.api.exec_create(
        self.container_id,
        startup_command,
        stdin=True,
        tty=True,
        stdout=True,
        stderr=True,
        privileged=True,
        user="root",
        environment={**env_vars, "TERM": "dumb", "PS1": "$ ", "PROMPT_COMMAND": ""},
    )

Note that the privileged option is set, which escalates the bash process privileges. According to Docker docs, The --privileged flag disables/bypasses most of checks that shield a container from the host system.

For example, the capabilities with --privileged:

> cat /proc/self/status | grep CapEff
CapEff:	000001ffffffffff

> capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read,cap_perfmon,cap_bpf,cap_checkpoint_restore

Bug solved method

It's better to set the privileged option to Flase by default to ensure the security of sandbox.

Environment information

  • System version: Ubuntu 22.04
  • Python version: 3.12
  • OpenManus version or branch: 36713cd (Date: Mon Jun 9 16:22:09 2025 +0800)
  • Installation method : uv pip install -r requirements.txt

Extra information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginactive

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions