On 01/16/2015 09:41 AM, Stef Walter wrote: > Atomic seems to ship a 'docker' group by default. Anyone added to this > group can completely bypass system policy, identity, and audit. > > It should not be routine to add users to this group. It should be > routine to sudo in order to use docker. > > I would like to suggest not having this group by default. It can be > added by admins if they really want to have it. > > In fact the Docker documentation contains strong warnings about this > group, and suggests creating it when necessary: > > https://docs.docker.com/installation/binaries/ > https://docs.docker.com/articles/security/#dockersecurity-daemon > > It's trivial to create this group when necessary. docker daemon only > checks the name of the group, not the gid. > > It would be important to make such a decision soon. Ideally this week, > since people will come to depend on this group being present by default. So, "this week" I guess you mean "today"? :-) Any strong support for having/keeping the "docker" group by default? I'm sure some folks will complain about having to add it, but I am generally in favor of being more secure, rather than opting for convenience that relies on bad habits. Best, jzb -- Joe Brockmeier | Principal Cloud & Storage Analyst jzb redhat com | http://community.redhat.com/ Twitter: @jzb | http://dissociatedpress.net/
Attachment:
signature.asc
Description: OpenPGP digital signature