Running Docker via PHP exec

I need a safer alternative than this one: sudo usermod -aG docker www-data

Hey guys,

I need help running a Docker container using the "bwits/pdf2htmlex" image through the PHP "exec" function in the browser. Here is the code I'm using:

<php
exec("docker run --rm -v /var/www/html/ConverterPDF/html/files/pdf/:/pdf -v /var/www/html/ConverterPDF/html/files/html:/html bwits/pdf2htmlex pdf2htmlEX --zoom 3 /pdf/file.pdf --dest-dir /html 2>&1");
?>

However, I ran into permission issues when executing this code through PHP's "exec" function. To get around this, I used the following command:

sudo usermod -aG docker www-data

While this resolved the issue, it doesn't appear to be a secure solution. I would like to know if there is a safer alternative to deal with this situation.

You can't docker run a container without creating an extremely large security issue. If you can docker run that container, then you can also

docker run -v/:/host busybox vi /host/etc/sudoers

and otherwise make any change to any file on the host system.

Paths to make this more secure generally involve packaging up the application in some way where you can run it without using the Docker CLI or API. The image you reference packages the pdf2htmlEX tool, and you might be able to just install that tool in the environment you're running the PHP service. You also might be able to build an image that contains a minimal HTTP server and the tool, and runs the tool as a subprocess in response to an HTTP POST request.

If you must give yourself access to the Docker socket, and thereby unrestricted root-level access to the entire host, adding the application's user to the docker group is a fine way to do it. If your service framework allows specifying additional Unix groups then you could also add docker as a group.