Atomic seems to ship a 'docker' group by default. Anyone added to this group can completely bypass system policy, identity, and audit. It should not be routine to add users to this group. It should be routine to sudo in order to use docker. I would like to suggest not having this group by default. It can be added by admins if they really want to have it. In fact the Docker documentation contains strong warnings about this group, and suggests creating it when necessary: https://docs.docker.com/installation/binaries/ https://docs.docker.com/articles/security/#dockersecurity-daemon It's trivial to create this group when necessary. docker daemon only checks the name of the group, not the gid. It would be important to make such a decision soon. Ideally this week, since people will come to depend on this group being present by default. Stef
Attachment:
signature.asc
Description: OpenPGP digital signature