[jeswin]

> Make sure you're running a rootless VM engine (e.g. podman instead of docker) !

Aren't most people running docker rootless (at least on Linux)? Does podman do more?

[Maakuth]

The docker CLI tool is normally executed with user privileges, but there's dockerd, a daemon running as root that actually does the container execution.

[cyanydeez]

im not sure people understand the security vectors. a user with docker permissions effectively has root permissions.

often, docker in docker is used to manage docker orchestration. putinng a user in a docker and peoviding docker access is security through obscurity.

on the flip side, i see people blindly installing tools and skills not understanding they are pushing context and capabilities without any significant security features.

Imagine mythos is actually exceptional hacker. if you give it a well crafted malicious prompt, its going to even more insecure.

the double edged sword is really fascinating to think about

[jeswin]

Docker has not required root for a long time, at least on Linux. There's even a convenience script for it: https://get.docker.com/rootless

Almost everyone I know installs docker rootless.

[jeswin]

Installing docker doesn't require root.

"Rootless mode lets you run the Docker daemon and containers as a non-root user."

https://docs.docker.com/engine/security/rootless/

This is how docker is best installed on Linux, and there's a convenience script for it as well (https://get.docker.com/rootless). I am surprised that's not how people are using docker.

[pennomi]

If it’s not default, most people won’t do it.

[dbacar]

Most poeople even dont know about it.

[throw0101c]

> Aren't most people running docker rootless (at least on Linux)? Does podman do more?

In the HPC space Apptainer (previously "Singularity") was created precisely due to (multi-)user-level access, especially with the use of NFS.

[perlgeek]

I'd guess that most people who run Docker on linux install it through their distro's package manager, which has a dockerd running as root.

On Debian derivatives, you need some kind of extra privs to even talk to it (being a member of the "docker" group, iirc).

[mayama]

docker service that sets up containers runs as root. podman does away with that service.