Practises in Ubuntu 16.04 .3 LTS desktop

gussaki · January 26, 2018, 9:15am

Hello all, i am really sorry if i am asking something that could be in another post but i am in a dilemma.
My OS is Ubuntu 16.04.3 LTS with a sudo user (aka the ordinary ubuntu setup).

I am planning to make a wordpress - drupal etc development environment and i am learning how to docker and more.

I’ve read many many articles regarding the setup and execution of commands though i am confused about something.

Is it better to run docker with sudo or add the user i am using to work on desktop to the docker group and run commands like docker-compose up -d instead of sudo docker-compose up -d ?

I’ve read that is a security issue if i put the user to the docker group. Is that true or it is applying at a serving content to the web docker deploy ?

Thank you a lot in advance for your replies.

sdetweil · January 26, 2018, 12:04pm

by default the docker container programs run as user root, so you do not need sudo.

if you change the user id, then you might need sudo, but you should design it so that you do not…
admin authority is always troublesome

gussaki · January 27, 2018, 9:21am

Yes the socket runs with root privileges . The user i installed docker and i am running the system is the typical user in Ubuntu in the sudo grp. And when i want to use docker for example to check the running containers i use to do sudo docker ps .

Will it be a good practice (security related) to add this user in the docker group as it is mentioned here? --> https://docs.docker.com/install/linux/linux-postinstall/

Or it is more secure to run it through sudo ?

I am talking about a local development machine and not intending to serve web pages to the public.

Thanks a lot again.

rgerhards · January 27, 2018, 11:19am

Let’s see what the security issue is (at least one). The containers usually run as root. This permits you to bypass permission checks on the host.

Let’s assume a $USER is inside the docker group. So he can run

$ docker run -v/etc:/malicious -ti --rm alpine
# cd /malicious
# vi sudoers
.... edit, write ...
# <ctl>-D

As such, the user can modify system config that he could not access otherwise. It’s a real risk. But if you have a one-person “personal” machine/VM where the user has sudo permissions in any case … I’d say it’s no real issue.

HTH
Ranier