I see potential in unc, I was playing with it as non root user. I know it's just PoC
http://bcksp.blogspot.com/2016/02/playing-with-unc-unprivileged-user.html?m=1 On Mon, Feb 29, 2016, 8:41 PM Josh Berkus <[email protected]> wrote: > On 02/29/2016 10:23 AM, Daniel J Walsh wrote: > >> >From a personal experience perspective, I can also note that whatever > >> additional security we think we're getting from the current defaults > >> doesn't actually exist in practice: all the current default security > >> settings mean is that I always invoke docker with full root privileges > >> (via sudo). > > The difference here is there is some logging that You executed sudo > > docker command, > > as opposed to no logging whatsoever. And if you did not setup sudo > > without a password > > you at least would block some attack vectors where a process running in > > your usespace will > > not be able to run root commands. With docker group any process running > > as your UID can > > become root with no logging. > > > > Only able to execute some docker commands through sudo using sudo and > > some scripting is > > far more secure then setting up docker group. If you want to setup > > docker group on your system > > it will work, but this is not something we should be encouraging any > > more then we should encourage > > people to setup sudo without a password. > > In fact, using the docker group does not work with atomic.app. > > I get what you're saying about system security. On the other hand, we > need some way for developers to work in their chosen IDE/text > editor/etc. for developing atomic apps if we expect them to use the > platform at all. Right, now if I want a reasonable workflow for > fork-and-edit for atomic.app, I need to be running Atom as root. That's > not exactly a security improvement, and there's a bunch of steps to make > it work. > > -- > -- > Josh Berkus > Project Atomic > Red Hat OSAS > > _______________________________________________ > Container-tools mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/container-tools >
_______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
