197

submitted 6 hours ago by cm0002@libretechni.ca to c/programmer_humor@programming.dev

20 comments fedilink hide all child comments

all 22 comments

sorted by: hot top controversial new old

[-] BlueKey@fedia.io 9 points 2 hours ago

Podman for the rescue. Runs fully under current user pribileges, so no sudo or other root-privileges needed to run containers.
(Especially useful for devs who want containers but should not get sudo.)

[-] GreenKnight23@lemmy.world 1 points 59 minutes ago

there's just that pesky IBM thing that's constantly hanging around in the back waiting to pull the rug you're standing on.

[-] JRaccoon@discuss.tchncs.de 16 points 3 hours ago

Never ever add any users to the docker group. Rootless mode is cool tho (albeit with some caveats)

[-] marlowe221@lemmy.world 33 points 4 hours ago

Slowly reaches for shotgun…

[-] daniskarma@lemmy.dbzer0.com 1 points 1 hour ago

I'm sorry Dave, I'm afraid I can't allow you to do that.

[-] uuj8za@piefed.social 53 points 5 hours ago* (last edited 5 hours ago)

I mean, there's a big ol' warning in the docs: https://docs.docker.com/engine/install/linux-postinstall/

The docker group grants root-level privileges to the user

But, I guess Docker doesn't really tell you not to do this... and I feel like a lot of mac users are not used to adding sudo at the front of docker commands so... idk.

[-] ChromaticMan@lemmy.world 8 points 3 hours ago

Sadly, nobody reads docs anymore. Now that I’m thinking, people never read the docs.

[-] SirHaxalot@nord.pub 23 points 4 hours ago

… and the Nextcloud developers think it’s completely reasonable to build a plugin system where you give this access to a web facing PHP application.

[-] SpaceNoodle@lemmy.world 32 points 5 hours ago

Sounds like Docker is just inherently unsecure.

[-] hperrin@lemmy.ca 11 points 5 hours ago

In the same way that sudo is.

[-] cornshark@lemmy.world 38 points 5 hours ago

Sudo makes you enter your password and docker doesn't?

[-] locuester@lemmy.zip 21 points 4 hours ago

Docker does by default - it only works if you use sudo. But the docs tell you to add yourself to the docker group (which requires sudo to do). Then running docker doesn’t require sudo anymore.

[-] squaresinger@lemmy.world 20 points 4 hours ago

Yeah, that's a terrible decision in the docs. Don't ever add a path where anything on the shell can execute user-modifyable code as root.

As soon as you do that, you lose any protection that comes from separating root users and non-root users. Because now any malicious program can just use docker to elevate its code to root.

[-] Zikeji@programming.dev 19 points 5 hours ago

Or don't give your user docker and use sudo to use the docker CLI to get the same effect. Hell, you could even alias docker as sudo docker to get the same feel.

[-] hperrin@lemmy.ca 3 points 5 hours ago

Only if you tell it to.

[-] blarth@thelemmy.club 49 points 6 hours ago

Podman will save us from the Terminators.

[-] tatterdemalion@programming.dev 1 points 55 minutes ago

Rootless docker exists now. Not sure why people still don't use it.

[-] msage@programming.dev 3 points 1 hour ago

LXC! LXC! LXC!

[-] craftrabbit@lemmy.zip 35 points 5 hours ago

I remember when I first needed to run containers I specifically went with podman because it doesn't require root access out of some vague fear that docker can be exploited to break my stuff. I feel validated.