Hacker News new | past | comments | ask | show | jobs | submit login

Why would you want Docker to be able to bind any folder? Or even edit "anything" in your IDE? Don't you have a /projects folder somewhere?

..and, office?! Do you keep spreadsheets in system folders?




Docker bind to a project folder (common for development) allows the image to take over the shell. Taking over the shell allows taking over the package manager. That allows taking over the system.

I keep spreadsheets in project folders. Allowing full writes to a project folder allows taking over the shell. See above.

Folder-level permissions are not sufficient. Sorry, I shortened it too much, but basically - there's almost no practical difference between allowing writes to a dev project folder and allowing writes everywhere. (It would stop some really trivial attempts) Your actual system folders are safe of course... but who cares about those really?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: