|
|
|
|
|
|
by cyphar
33 days ago
|
|
|
That doesn't actually do anything, connect(2) doesn't need write access to connect to a socket. If you think about it, if that did work then a socket with read-only permissions would be basically useless -- Docker uses HTTP for its API, how would the request for "read-only data" be sent without the ability to send messages? I wrote a comment ~8 years about this[1], I'm kinda sad people still do this and seem to misunderstand just how big of a security hole they are opening... Just don't do it. If you absolutely must then you can configure some very restrictive AuthZ plugin (but those are incredibly fickle and are almost certainly security theatre because they are basically just an application firewall). [1]: https://news.ycombinator.com/item?id=17983623 |
|
|