Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: Don't suggest adding the user to docker group for security reasons #874

Closed
ghost opened this issue Jul 24, 2023 · 2 comments
Closed

Feature request: Don't suggest adding the user to docker group for security reasons #874

ghost opened this issue Jul 24, 2023 · 2 comments

Comments

@ghost
Copy link

ghost commented Jul 24, 2023

Is your feature request related to a problem? Please describe.
Adding the Linux user e.g. whoami > omar to the docker group is discouraged by docker these days -- for good reasons. It is the equivalent of providing passwordless sudo to all running applications and their plugins.

MacOS or even Linux Docker Desktop users don't have this issue because Docker runs in its own Virtual Machine, therefore there's no need to adding the user to the docker group.

The docker group grants root-level privileges to the user [and all running applications, which makes desktop users very vulnerable]. For details on how this impacts security in your system, see Docker Daemon Attack Surface. -- Docker docs in addition to my explanation between brackets.

Tutor gives this advice -- which I think it shouldn't:

tutor/tutor/commands/cli.py

Lines 115 to 119 in faf43bd

fmt.echo_alert(
"You are running Tutor as root. This is strongly not recommended. If you are doing this in order to access"
" the Docker daemon, you should instead add your user to the 'docker' group. (see https://docs.docker.com"
"/install/linux/linux-postinstall/#manage-docker-as-a-non-root-user)"
)

Describe the solution you'd like

Use rootless docker. I recently started using rootless docker which is -- surprisingly -- compatible with the Open edX devstack. Last time I tested it with Tutor I had problems. I plan to test again in two weeks or so.

Describe alternatives you've considered
Enforce sudo prefix to all docker calls.

I usually solve this by creating two scripts in the ~/bin directory, which is a non-standard solution that I came up with:

# ~/bin/docker
sudo /usr/bin/docker "$@"
# ~/bin/docker-compose
sudo /user/bin/docker-compose "$@"

Which works 99% of the cases, but sometimes fails if Docker-compose or devstack tries to do something "too smart"/complicated.

It's annoying since it requires entering a password for every new Terminal instance for even the simplest commands like docker ps.

Additional context
@ghost
Copy link
Author

ghost commented Jul 24, 2023

Apparently, I've posted from another GitHub account -- @OmarIthawi.

@OmarIthawi
Copy link
Contributor

Please close this in favor of the other issue so I can follow up with it: #875

@regisb regisb closed this as completed Jul 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@regisb @OmarIthawi