[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Proposal: no docker group by default



Atomic seems to ship a 'docker' group by default. Anyone added to this
group can completely bypass system policy, identity, and audit.

It should not be routine to add users to this group. It should be
routine to sudo in order to use docker.

I would like to suggest not having this group by default. It can be
added by admins if they really want to have it.

In fact the Docker documentation contains strong warnings about this
group, and suggests creating it when necessary:

https://docs.docker.com/installation/binaries/
https://docs.docker.com/articles/security/#dockersecurity-daemon

It's trivial to create this group when necessary. docker daemon only
checks the name of the group, not the gid.

It would be important to make such a decision soon. Ideally this week,
since people will come to depend on this group being present by default.

Stef

Attachment: signature.asc
Description: OpenPGP digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]