docker-socket-proxy icon indicating copy to clipboard operation
docker-socket-proxy copied to clipboard

Published 20 hours ago verified publisher icon Tecnativa

Update documentation/tags to make docker-socket-proxy more secure for novice users

Open bluepuma77 opened this issue 1 year ago • 4 comments

The README.md shows this usage example:

docker container run \
    -d --privileged \
    --name dockerproxy \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -p 127.0.0.1:2375:2375 \
    tecnativa/docker-socket-proxy

In my optioning the example contains two security risks:

  1. tecnativa/docker-socket-proxy on Docker Hub (link) defaults to latest, which is already 3 years old. Please either update latest tag on Docker Hub to a more current version or add the edge tag to the usage example.
  2. The example uses -privileged, which gives a lot of permissions to the container, even though this is not required, it runs without any issue on plain Debian without the parameter. If there are exceptions, they should be noted, but --privileged should not be assumed to be default, and in 2024 there should be more granular options.

Combining a 3 year old image with --privileged seems to be a very insecure usage example for novice users. The project is intended to improve security, but the example seems very counter-productive.

bluepuma77 avatar Jan 30 '24 12:01 bluepuma77