Sounds like Docker is just inherently unsecure.
SpaceNoodle 64 points 22 days ago
locuester 42 points 22 days ago
Docker does by default - it only works if you use sudo. But the docs tell you to add yourself to the docker group (which requires sudo to do). Then running docker doesn’t require sudo anymore.
tabular 9 points 22 days ago
Sudo can/usually does ask for password - but if you're feeling lucky you can use sudo without a password.
(Currently doing that after repeatedly failing to install an OS and have not yet felt compelled to change it back).
SirHaxalot 52 points 22 days ago
… and the Nextcloud developers think it’s completely reasonable to build a plugin system where you give this access to a web facing PHP application.
prettybunnys 10 points 22 days ago
What could possibly go wrong?
ChromaticMan 23 points 22 days ago
Sadly, nobody reads docs anymore. Now that I’m thinking, people never read the docs.
racemaniac 4 points 21 days ago
Suppose we all did read the docs. How possible is it with the complexity of a modern system to really take literally everything in account, and understand the implications oof everything to keep your system safe? It's great that it's documented, but if security isn't the default option, it will lead to issues, and everything has become so complex, that imo correctly managing everything is literally impossible... This is a systemic issue, not a user issue.
Lemmert 1 point 21 days ago
I don't think it would've been an issue if they just put a warning in the getting started section in the docs (or if they just have secure defaults to begin with). But currently there's no mention of it. It took almost a year for me to realise that I was running "production ready code" in root
ghodawalaaman 2 points 22 days ago path: 0 24027186 24028436 24029438, hotness: undefined, score: 2, children: 1
craftrabbit 69 points 22 days ago
I remember when I first needed to run containers I specifically went with podman because it doesn't require root access out of some vague fear that docker can be exploited to break my stuff. I feel validated.
tatterdemalion 9 points 22 days ago
Rootless docker exists now. Not sure why people still don't use it.
marlowe221 67 points 22 days ago
Slowly reaches for shotgun…
daniskarma 18 points 22 days ago
I'm sorry Dave, I'm afraid I can't allow you to do that.
GreenKnight23 10 points 22 days ago
there's just that pesky IBM thing that's constantly hanging around in the back waiting to pull the rug you're standing on.
GreenKnight23 4 points 21 days ago
keep telling yourself that. if it was 2006 I would say you're right, but 20 years of corporate neglect and abuse has caused many developers to age out and not really give a shit anymore.
young devs don't want to just "fork it", they want to make a better product. to sell it. to IBM (or entities like them).
so yeah. you keep trusting that IBM bear in the corner won't maul you when you take a nap.
I'll stick with docker, the solution that outright refused to bend a knee to the worse corporate slaver in modern history.
kunaltyagi 23 points 22 days ago
This was known for a decade now? That's why adding a user to docker group was always an additional step with a warning
And also why podman works the way it does
JRaccoon 38 points 22 days ago
Never ever add any users to the docker group. Rootless mode is cool tho (albeit with some caveats)
YeahToast 1 point 21 days ago
How do you find running it as rootless? I have enough grief with docker as is... Don't really feel the need to further complicate things by going off the status quo.. but I'm guessing it's somewhat more secure.
Jayjader 16 points 21 days ago
A good write-up I came across 2 months ago: "Your container is not a sandbox" https://emirb.github.io/blog/microvm-2026/
guitarfosec 10 points 21 days ago
Here’s a whole list of misconfigurations for specific binaries and the privileges they can accidentally provide. Useful for replacing the whale in your nightmares: https://gtfobins.org/
diabetic_porcupine 3 points 22 days ago
Is that normal config?
Ghoelian 1 point 21 days ago
On the docker side, yes, it runs as root by default. If you want rootless containers, try podman.
For Claude code, no, by default it asks for every command if it's allowed to run. Either this user allowed all docker commands, allowed all commands, or allowed the to ai decide if the command is safe or not by itself (yes this is a real feature). (If this is Claude code, which I can't tell if it is)
programmer_humor
@programming.dev
31938
2357
7362
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
go to feed...
programmer_humor
@programming.dev
31938
2357
7362
Welcome to Programmer Humor!
This is a place where you can post jokes, memes, humor, etc. related to programming!
For sharing awful code theres also Programming Horror.
Rules
- Keep content in english
- No advertisements
- Posts must be related to programming or programmer topics
go to feed...
I mean, there's a big ol' warning in the docs: https://docs.docker.com/...
But, I guess Docker doesn't really tell you not to do this... and I feel like a lot of mac users are not used to adding sudo at the front of docker commands so... idk.
save