- From: Stef Walter <stefw redhat com>
- To: "atomic-devel projectatomic io"
<atomic-devel projectatomic io>
- Subject: [atomic-devel] Proposal: no docker group
by default
- Date: Fri, 16 Jan 2015 15:41:22 +0100
Atomic seems to ship a 'docker' group by default. Anyone added to this
group can completely bypass system policy, identity, and audit.
It should not be routine to add users to this group. It should be
routine to sudo in order to use docker.
I would like to suggest not having this group by default. It can be
added by admins if they really want to have it.
In fact the Docker documentation contains strong warnings about this
group, and suggests creating it when necessary:
https://docs.docker.com/installation/binaries/
https://docs.docker.com/articles/security/#dockersecurity-daemon
It's trivial to create this group when necessary. docker daemon only
checks the name of the group, not the gid.
It would be important to make such a decision soon. Ideally this week,
since people will come to depend on this group being present by default.
Stef