Unprivileged Containers: Shaving Yaks To Get the Toothpaste Back In the Tube

Name: Unprivileged Containers: Shaving Yaks To Get the Toothpaste Back In the Tube
Duration: 50 min
Description: When Yelp's internal security team discovered that any developer on a shared development machine could trivially escalate to root — courtesy of privileged Docker sockets — the obvious answer was "just

Matt Carroll

44CON 2025 · Day 2 · Main Track

When Yelp's internal security team discovered that any developer on a shared development machine could trivially escalate to root — courtesy of privileged Docker sockets — the obvious answer was "just

AI review

Carroll spent 18 months closing a 10-year-old ticket that said 'Docker socket is root,' documented every place the yak-shaving took him, and delivered the most technically honest container security talk I've heard in years.

Watch on YouTube