[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[atomic-devel] Proposal: no docker group by default




  • From: Stef Walter <stefw redhat com>
  • To: "atomic-devel projectatomic io" <atomic-devel projectatomic io>
  • Subject: [atomic-devel] Proposal: no docker group by default
  • Date: Fri, 16 Jan 2015 15:41:22 +0100

Atomic seems to ship a 'docker' group by default. Anyone added to this
group can completely bypass system policy, identity, and audit.

It should not be routine to add users to this group. It should be
routine to sudo in order to use docker.

I would like to suggest not having this group by default. It can be
added by admins if they really want to have it.

In fact the Docker documentation contains strong warnings about this
group, and suggests creating it when necessary:

https://docs.docker.com/installation/binaries/
https://docs.docker.com/articles/security/#dockersecurity-daemon

It's trivial to create this group when necessary. docker daemon only
checks the name of the group, not the gid.

It would be important to make such a decision soon. Ideally this week,
since people will come to depend on this group being present by default.

Stef

I agree we should stop creating the group and fix the service script to handle it.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]