On Fri, Jul 4, 2025, 19:30 Debian Wiki <
[email protected]> wrote:
The "Docker" page has been changed by BordenRhodes: https://wiki.debian.org/Docker?action=diff&rev1=40&rev2=41
Comment:
Moving Podman plug into security warning. Consider making its own section.
Docker has no equivalent to `sudo`'s password check, so an arbitrary-code-execution exploit against a user in the `docker` group effectively grants the attacker root access. Therefore, the safer choice
is to __''never''__ add a user account — even your own — to the `docker` group, so that Docker commands can only be used via `sudo`.
+ If Docker running at root level is an unacceptable security risk,
consider [[Podman]] instead, which provides similar functionality but runs without root privileges.
+
See also [[https://docs.docker.com/go/attack-surface/|"Docker daemon
attack surface" in the upstream documentation]] for more details.
}}}
Instead of a reference to Podman in an article about Docker, this should mention running Docker in "rootless" mode:
https://docs.docker.com/engine/security/rootless/
(Podman should stick to articles about Podman.)
❤️,
- Tianon
<div dir="auto"><div dir="auto">On Fri, Jul 4, 2025, 19:30 Debian Wiki <<a href="mailto:
[email protected]" rel="noreferrer noreferrer" target="_blank">
[email protected]</a>> wrote:</div><div class="gmail_quote" dir="auto"><blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The "Docker" page has been changed by BordenRhodes:<br>
<a href="
https://wiki.debian.org/Docker?action=diff&rev1=40&rev2=41" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
https://wiki.debian.org/Docker?action=diff&rev1=40&rev2=41</a><br>
Comment:<br>
Moving Podman plug into security warning. Consider making its own section.<br>
Docker has no equivalent to `sudo`'s password check, so an arbitrary-code-execution exploit against a user in the `docker` group effectively grants the attacker root access. Therefore, the safer choice is to __''never''__ add a
user account — even your own — to the `docker` group, so that Docker commands can only be used via `sudo`.<br>
+ If Docker running at root level is an unacceptable security risk, consider [[Podman]] instead, which provides similar functionality but runs without root privileges.<br>
+ <br>
See also [[<a href="
https://docs.docker.com/go/attack-surface/%7C" rel="noreferrer noreferrer noreferrer noreferrer" target="_blank">
https://docs.docker.com/go/attack-surface/|</a>"Docker daemon attack surface" in the upstream documentation]]
for more details.<br>
}}}<br></blockquote></div><div dir="auto"><br></div><div dir="auto">Instead of a reference to Podman in an article about Docker, this should mention running Docker in "rootless" mode: <a href="
https://docs.docker.com/engine/security/
rootless/">
https://docs.docker.com/engine/security/rootless/</a></div><div dir="auto"><br></div><div dir="auto">(Podman should stick to articles about Podman.)</div><div dir="auto"><br></div><div dir="auto">❤️,</div><div data-smartmail="gmail_
signature">- Tianon</div></div>
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)