- cross-posted to:
- programmerhumor@lemmy.ml
- cross-posted to:
- programmerhumor@lemmy.ml
You must log in or # to comment.
This is your regular reminder that docker isn’t a sandboxing solution and shouldn’t be treated as one.
TIL: uninstall docker on any machine with Claude code installed.
This was known for a decade now? That’s why adding a user to docker group was always an additional step with a warning
And also why podman works the way it does
Podman for the rescue. Runs fully under current user pribileges, so no sudo or other root-privileges needed to run containers.
(Especially useful for devs who want containers but should not get sudo.)there’s just that pesky IBM thing that’s constantly hanging around in the back waiting to pull the rug you’re standing on.
I mean, there’s a big ol’ warning in the docs: https://docs.docker.com/engine/install/linux-postinstall/
The docker group grants root-level privileges to the user
But, I guess Docker doesn’t really tell you not to do this… and I feel like a lot of mac users are not used to adding sudo at the front of docker commands so… idk.
… and the Nextcloud developers think it’s completely reasonable to build a plugin system where you give this access to a web facing PHP application.
What could possibly go wrong?
Sounds like Docker is just inherently unsecure.
In the same way that sudo is.
Sudo makes you enter your password and docker doesn’t?
Sudo can/usually does ask for password - but if you’re feeling lucky you can use sudo without a password.
(Currently doing that after repeatedly failing to install an OS and have not yet felt compelled to change it back).
Docker does by default - it only works if you use sudo. But the docs tell you to add yourself to the docker group (which requires sudo to do). Then running docker doesn’t require sudo anymore.
Yeah, that’s a terrible decision in the docs. Don’t ever add a path where anything on the shell can execute user-modifyable code as root.
As soon as you do that, you lose any protection that comes from separating root users and non-root users. Because now any malicious program can just use docker to elevate its code to root.
Or don’t give your user docker and use sudo to use the docker CLI to get the same effect. Hell, you could even alias docker as
sudo dockerto get the same feel.Only if you tell it to.
Sadly, nobody reads docs anymore. Now that I’m thinking, people never read the docs.
Removed by mod
deleted by creator
I have never even looked at the Docker docs
Never ever add any users to the
dockergroup. Rootless mode is cool tho (albeit with some caveats)Slowly reaches for shotgun…
I’m sorry Dave, I’m afraid I can’t allow you to do that.
Podman will save us from the Terminators.
I remember when I first needed to run containers I specifically went with podman because it doesn’t require root access out of some vague fear that docker can be exploited to break my stuff. I feel validated.
Rootless docker exists now. Not sure why people still don’t use it.
LXC! LXC! LXC!
Is that normal config?
