[Container-tools] Security vs. Usability: atomic commands and permissions
Muayyad AlSadi
alsadi at gmail.com
Mon Feb 29 18:47:55 UTC 2016
I see potential in unc, I was playing with it as non root user.
I know it's just PoC
http://bcksp.blogspot.com/2016/02/playing-with-unc-unprivileged-user.html?m=1
On Mon, Feb 29, 2016, 8:41 PM Josh Berkus <jberkus at redhat.com> wrote:
> On 02/29/2016 10:23 AM, Daniel J Walsh wrote:
> >> >From a personal experience perspective, I can also note that whatever
> >> additional security we think we're getting from the current defaults
> >> doesn't actually exist in practice: all the current default security
> >> settings mean is that I always invoke docker with full root privileges
> >> (via sudo).
> > The difference here is there is some logging that You executed sudo
> > docker command,
> > as opposed to no logging whatsoever. And if you did not setup sudo
> > without a password
> > you at least would block some attack vectors where a process running in
> > your usespace will
> > not be able to run root commands. With docker group any process running
> > as your UID can
> > become root with no logging.
> >
> > Only able to execute some docker commands through sudo using sudo and
> > some scripting is
> > far more secure then setting up docker group. If you want to setup
> > docker group on your system
> > it will work, but this is not something we should be encouraging any
> > more then we should encourage
> > people to setup sudo without a password.
>
> In fact, using the docker group does not work with atomic.app.
>
> I get what you're saying about system security. On the other hand, we
> need some way for developers to work in their chosen IDE/text
> editor/etc. for developing atomic apps if we expect them to use the
> platform at all. Right, now if I want a reasonable workflow for
> fork-and-edit for atomic.app, I need to be running Atom as root. That's
> not exactly a security improvement, and there's a bunch of steps to make
> it work.
>
> --
> --
> Josh Berkus
> Project Atomic
> Red Hat OSAS
>
> _______________________________________________
> Container-tools mailing list
> Container-tools at redhat.com
> https://www.redhat.com/mailman/listinfo/container-tools
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/container-tools/attachments/20160229/2d071522/attachment.htm>
More information about the Container-tools
mailing list