[Discuss] sandboxing web browsers
Richard Pieri
richard.pieri at gmail.com
Mon Jun 22 10:40:57 EDT 2015
On 6/21/2015 10:38 PM, Tom Metro wrote:
> The Docker daemon runs as root. If the non-privileged user starting FF
> is put in the docker group and allowed to start any container, then yes,
> they have root. If instead a SetUID script or sudo rule is used to
> launch a specific container, which does not launch a root shell, then
> the resulting container and FF process won't have root privileges.
Docker requires root to initialize containers. It's how Docker was
designed. It's a known design flaw and the Docker folks have gone on
record stating that they don't intend to fix it. So, if you're going to
let me start Docker containers then I will be able to elevate myself to
root on the host. The only way to stop me is not to let me start Docker
containers at all.
>> Docker does not work "perfectly well" in the first place in my experience.
>
> That may very well be your experience. But some of us use it daily and
> find that it does the intended job.
FSVO "intended". My experience is that developers have been using Docker
to rationalize piss-poor deployment practices. It doesn't matter to them
if their run time environments are utter hell for users to recreate,
just put it all in a container and copy the hell everywhere.
One most egregious example that I've had to deal with, a project called
ShareLaTeX, their environments are so bad that their containers are the
only supported way of deploying. So bad that their containers don't work
outside of their own environments.
--
Rich P.
More information about the Discuss
mailing list