-
Notifications
You must be signed in to change notification settings - Fork 65
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Being a member of the docker group is the same as giving a user full root access to the system #131
Comments
The proper fix for this issue is to create an "ambasador deamon" wich communicates with docker indirectly. |
This is waiting on user mappings:
|
This issue should be resolved within the realm of the docker project probably through a pull request. |
This allows you to not have your normal user be a member of the docker group #131 #223 . This is extremrely messy, non-documented, non-tested code. In order to use, create a `/root/.subuser` directory and put a `/root/.subuser/config.json` file inside: { "user":"timothy" ,"subuser-home-dirs-dir":"/home/timothy/subuser-homes" } Replace `timothy` with your username. This will alow you to run subuser as root, but have your subuser's run as the user timothy.
Is there still any plan to do this? I know of at least one lab who's IT department has refused to allow docker to be used on their cluster because it would allow non-privileged users to have root access. |
Right now, subuser can be run with sudo, however, it still needs
elevated privileges to run. We are working on replacing Docker, but it
is taking a lot of time because we have lots of ideas about what we want
to improve, and we don't want to replace Docker with something untested
and insecure.
…On 06/27/2017 09:41 PM, Max Ehrlich wrote:
Is there still any plan to do this? I know of at least one lab who's
IT department has refused to allow docker to be used on their cluster
because it would allow non-privileged users to have root access.
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#131 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABU7-BsXpRzk-Kt4TBW82BjjlEz6jPzpks5sIVrngaJpZM4Bm84G>.
|
Since they can mount volumes to docker and run processes in docker as UID=0(root)....
The text was updated successfully, but these errors were encountered: