[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [atomic-devel] Proposal: no docker group by default

On 01/16/2015 09:41 AM, Stef Walter wrote:
> Atomic seems to ship a 'docker' group by default. Anyone added to this
> group can completely bypass system policy, identity, and audit.
> It should not be routine to add users to this group. It should be
> routine to sudo in order to use docker.
> I would like to suggest not having this group by default. It can be
> added by admins if they really want to have it.
> In fact the Docker documentation contains strong warnings about this
> group, and suggests creating it when necessary:
> https://docs.docker.com/installation/binaries/
> https://docs.docker.com/articles/security/#dockersecurity-daemon
> It's trivial to create this group when necessary. docker daemon only
> checks the name of the group, not the gid.
> It would be important to make such a decision soon. Ideally this week,
> since people will come to depend on this group being present by default.

So, "this week" I guess you mean "today"? :-)

Any strong support for having/keeping the "docker" group by default? I'm
sure some folks will complain about having to add it, but I am generally
in favor of being more secure, rather than opting for convenience that
relies on bad habits.


Joe Brockmeier | Principal Cloud & Storage Analyst
jzb redhat com | http://community.redhat.com/
Twitter: @jzb  | http://dissociatedpress.net/

Attachment: signature.asc
Description: OpenPGP digital signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]