New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Being a member of the docker group is the same as giving a user full root access to the system #131

Closed
timthelion opened this Issue Mar 5, 2014 · 13 comments

Comments

Projects
None yet
2 participants
@timthelion
Contributor

timthelion commented Mar 5, 2014

Since they can mount volumes to docker and run processes in docker as UID=0(root)....

@timthelion timthelion added this to the 1.0 milestone Mar 5, 2014

@timthelion timthelion added the security label Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
@timthelion

timthelion Mar 5, 2014

Contributor

The proper fix for this issue is to create an "ambasador deamon" wich communicates with docker indirectly.

Contributor

timthelion commented Mar 5, 2014

The proper fix for this issue is to create an "ambasador deamon" wich communicates with docker indirectly.

@timthelion

This comment has been minimized.

Show comment
Hide comment
@timthelion

timthelion Mar 5, 2014

Contributor

This is waiting on user mappings:

>
> Recent improvements in Linux namespaces will soon allow to run 
> full-featured containers without root privileges, thanks to the new user
> namespace. This is covered in detail here. Moreover, this will solve the 
> problem caused by sharing filesystems between host and guest, since the 
> user namespace allows users within containers (including the root user) to > be mapped to other users in the host system.

se here ...

Contributor

timthelion commented Mar 5, 2014

This is waiting on user mappings:

>
> Recent improvements in Linux namespaces will soon allow to run 
> full-featured containers without root privileges, thanks to the new user
> namespace. This is covered in detail here. Moreover, this will solve the 
> problem caused by sharing filesystems between host and guest, since the 
> user namespace allows users within containers (including the root user) to > be mapped to other users in the host system.

se here ...

@timthelion

This comment has been minimized.

Show comment
Hide comment
@timthelion

timthelion Mar 5, 2014

Contributor

This issue should be resolved within the realm of the docker project probably through a pull request.

Contributor

timthelion commented Mar 5, 2014

This issue should be resolved within the realm of the docker project probably through a pull request.

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

@timthelion

This comment has been minimized.

Show comment
Hide comment
Contributor

timthelion commented Mar 5, 2014

timthelion added a commit that referenced this issue Oct 5, 2015

Allow running subuser as root user
This allows you to not have your normal user be a member of the docker group #131 #223 . This is extremrely messy, non-documented, non-tested code.

In order to use, create a `/root/.subuser` directory and put a `/root/.subuser/config.json` file inside:

{
 "user":"timothy"
,"subuser-home-dirs-dir":"/home/timothy/subuser-homes"
}

Replace `timothy` with your username.

This will alow you to run subuser as root, but have your subuser's run as the user timothy.

@timthelion timthelion added the Future label Apr 9, 2016

@timthelion timthelion closed this in 254f47f Jan 2, 2017

@Queuecumber

This comment has been minimized.

Show comment
Hide comment
@Queuecumber

Queuecumber Jun 27, 2017

Is there still any plan to do this? I know of at least one lab who's IT department has refused to allow docker to be used on their cluster because it would allow non-privileged users to have root access.

Is there still any plan to do this? I know of at least one lab who's IT department has refused to allow docker to be used on their cluster because it would allow non-privileged users to have root access.

@timthelion

This comment has been minimized.

Show comment
Hide comment
@timthelion

timthelion Jun 28, 2017

Contributor
Contributor

timthelion commented Jun 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment