On 1 March 2016 at 04:23, Daniel J Walsh <[email protected]> wrote: > On 02/27/2016 01:47 AM, Nick Coghlan wrote: >> >From a personal experience perspective, I can also note that whatever >> additional security we think we're getting from the current defaults >> doesn't actually exist in practice: all the current default security >> settings mean is that I always invoke docker with full root privileges >> (via sudo). > > The difference here is there is some logging that You executed sudo docker > command, > as opposed to no logging whatsoever. And if you did not setup sudo without > a password > you at least would block some attack vectors where a process running in your > usespace will > not be able to run root commands. With docker group any process running as > your UID can > become root with no logging.
Ouch! OK, I withdraw my comment - authenticating my shell session every now and then is definitely preferable to arbitrary processes I run being able to gain root access :) However, I'm not an IDE user (I work with a text editor + separate terminal window), so that's less of a hassle for me than it would be for folks that are using a bit more client side automation. Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Container-tools mailing list [email protected] https://www.redhat.com/mailman/listinfo/container-tools
