On 16.01.2015 15:45, Joe Brockmeier wrote: > On 01/16/2015 09:41 AM, Stef Walter wrote: >> Atomic seems to ship a 'docker' group by default. Anyone added to this >> group can completely bypass system policy, identity, and audit. >> >> It should not be routine to add users to this group. It should be >> routine to sudo in order to use docker. >> >> I would like to suggest not having this group by default. It can be >> added by admins if they really want to have it. >> >> In fact the Docker documentation contains strong warnings about this >> group, and suggests creating it when necessary: >> >> https://docs.docker.com/installation/binaries/ >> https://docs.docker.com/articles/security/#dockersecurity-daemon >> >> It's trivial to create this group when necessary. docker daemon only >> checks the name of the group, not the gid. >> >> It would be important to make such a decision soon. Ideally this week, >> since people will come to depend on this group being present by default. > > So, "this week" I guess you mean "today"? :-) Heh heh. I guess, I'm already thinking about next week too much :) Stef
Attachment:
signature.asc
Description: OpenPGP digital signature