[Container-tools] Security vs. Usability: atomic commands and permissions
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 29 18:23:45 UTC 2016
On 02/27/2016 01:47 AM, Nick Coghlan wrote:
> On 27 February 2016 at 12:15, Josh Berkus <jberkus at redhat.com> wrote:
>> Folks,
>>
>> So I'm testing the new atomicapp tutorial documentation, and one thing I'm
>> running across as a major usability issue for Linux desktop developers is
>> that most of the commands require sudo, and create files which are owned and
>> editable only by root. Which means that I can't easily pull, fork and
>> modify Nulecule applications for my own use in my text editor of choice
>> (Atom, for example).
>>
>> Now, this isn't a problem if you're running in an atomic host VM, where
>> you're logged in as root. But supposedly one of the benefits of using
>> Fedora Workstation as your dev environment is not needing to run a VM. We
>> should be promoting it as the superior developer OS.
>>
>> Now, I know that the "docker group" approach which Docker takes has some
>> major security issues ... but if we're not going to support that, then we
>> need something else which is equally easy to use for developers on their own
>> laptops.
> >From a personal experience perspective, I can also note that whatever
> additional security we think we're getting from the current defaults
> doesn't actually exist in practice: all the current default security
> settings mean is that I always invoke docker with full root privileges
> (via sudo).
The difference here is there is some logging that You executed sudo
docker command,
as opposed to no logging whatsoever. And if you did not setup sudo
without a password
you at least would block some attack vectors where a process running in
your usespace will
not be able to run root commands. With docker group any process running
as your UID can
become root with no logging.
Only able to execute some docker commands through sudo using sudo and
some scripting is
far more secure then setting up docker group. If you want to setup
docker group on your system
it will work, but this is not something we should be encouraging any
more then we should encourage
people to setup sudo without a password.
> So, rather than a risk of potential escalation to root access on the
> host, we have *guaranteed* root access on the host (as otherwise I
> can't run docker commands at all).
>
> This may also be a case where it makes sense to have the default
> settings on Fedora Workstation diverge from those on Fedora Server and
> Fedora Atomic Host.
>
> Cheers,
> Nick.
>
More information about the Container-tools
mailing list