Every time I try to install Docker there's a warning that being in the "docker" group is equivalent to having root access.<p>You should probably know about this workaround by now.
Most of us install Docker just to run a project locally, and is part of a long checklist of things to install. We can't expect everyone to be an expert on the hundreds of apps/tools/packages that get installed on a machine. It's like expected people to read, and understand, all the terms of service shoved in front of us on a daily basis.
That's why adding your user account to the docker group is a separate step that explicitly does <i>not</i> happen as part of the installation: <a href="https://docs.docker.com/engine/install/linux-postinstall/" rel="nofollow">https://docs.docker.com/engine/install/linux-postinstall/</a><p>> Warning<p>> The docker group grants root-level privileges to the user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.
wait so just being lazy and using sudo on Docker commands instead of figuring things out actually means I'm being <i>safer?</i> awesome.
And containers were supposed to make things safer ...<p>Huge design mistake if you ask me.
i don't see how it's a design mistake, linux allows more footguns in general to not decrease utility. Allowing you to manually give root prompt access (with warnings!) to a non-root user is one of them.<p>you can also just not run docker as root and not add normal users to the docker group
Containers were never a security boundary
That's true, the majority of people probably install software without much thinking; but it's also true that it's always better to have at least some high level understanding how the specific piece of software works. What access the given software has, will it send something over the network or work locally; that kind of stuff.<p>As for Docker, I would assume everyone who ever tried to bind-mount a volume for writing from inside the container (on Linux*) then were surprised to see root-owned files in their bind-mounted directory. For me personally, that was the moment I realized that containers, by default, have root access to the filesystem. No written warning serves better than the need to chown some root-owned files.<p>* Not on macOS. On macOS Docker basically runs in a VM, and there's no root access to the host filesystem from what I understand.<p>[edit: formatting]
Docker relies fundamentally on the Linux kernel. Since macOS does not have a Linux kernel, you have to run Linux in a VM first and then run Docker on top of that.<p>So, you may get filesystem access inside the VM. Breaking out of the VM may be a different matter.
I primarily use Incus for all container stuff, not Docker. Is problematic if I want to e.g. use a docker-compose file, but I (think) it protects against these things because incus allows me to create a vm and not a container if I really need that level of isolation.
Most people buy scissors just to cut some paper. We can't expect everyone to recognize that they are sharp.
To be fair, I struggled since forever to understand this root group thing and didnt bother to add to docker group. This workaround give me a better understanding, like seeing someone cut themselves on a scissor
<p><pre><code> > Most of us install Docker just to run a project locally
</code></pre>
If you're on linux can I encourage people to move to systemd?<p>I'll admit, systemd is a bit more annoying, but the main annoyance is that there aren't the pre-built images that you can just set and go. That same capability exists with systemd (via `importctl` and `machined`), but those configurations don't already exist. But on the plus side, I've been working with systemd since pre-LLM days and I feel that they are pretty good at dealing with these configurations[0]. Now, with that out of the way...<p>Systemd already is working with your OS. So you get nice things like virtual machines (`systemd-vmspawn`), containers (`systemd-nspawn`), and portables[1] (`systemd-portabled`) (not to mention `homed`!). I've found these to be fairly easy to setup and quite natural if you're already used to the linux ecosystem. I've never been great at docker, but these have felt much more natural to me. So different strokes for different folks. There's definitely a learning curve, but that's also true for docker or any other container system. Importantly, I find security easier to handle with systemd because I can use `systemd-analyze` and the control settings are almost identical across VMs, spawns, and portables. So makes for less learning and greater control.<p>Definitely not for everybody, but I think is also a tool that's underappreciated.<p>[0] And I don't feel this way about bash scripting! The advantage here is that these systemd configuration files are fairly boilerplate. Enough that I stash templates in my dotfiles and copy paste them when I build new services, timers, machines, whatever. So perfect type of LLM task. 90% of the time. But hey, we're also on HN and I'm talking to the nerds. Systemd isn't for everyone<p>[1] <a href="https://systemd.io/PORTABLE_SERVICES/" rel="nofollow">https://systemd.io/PORTABLE_SERVICES/</a> also see <a href="https://github.com/systemd/portable-walkthrough" rel="nofollow">https://github.com/systemd/portable-walkthrough</a> Portables are actually often what people want with what they're doing with docker.<p>EDIT: I very frequently will spawn a machine to run a program that's on a different base distro. Not because I can't run/don't know how to run debs or rpms on arch based distros (I do), but because frankly, it is often easier to just spawn a container after I've already made the first image (cloning images is trivial).
[dead]
I recently switched over to podman and it's been great!
> My """ai""" just did something amazing, click to learn more<p>99% of the time it just read the man or some other form of documentation
There are lots of ways to get root on a typical Linux developer workstation, the point is that agents shouldn't be using any of them unprompted.
This. I am running Claude in its own QEMU VM, it has git access to my project only if I explicitly unlock the ssh key for it. The other day I realized it trying to push a change, it didn't have permission, so it went looking for "workarounds" and found I had a github cli session and tried to use that, luckily the creds for that was also read scoped. But the point is, if I did not give permission and it sees I did not give permission, it should not try to find a workaround/exploit autonomously.
I think that's distro-specific. Some set it up with more secure defaults (unix socket with permissions), others less (TCP socket).
I don't really know of any distro that doesn't do that. All of Docker Inc. default installs and all of distros I know of don't automatically add you to the docker group. docker.com instructions has the infamous "linux post-install instructions" that explain and walk you though it.<p>The tragedy is of course that when security and usability collide, 80/20 rule will apply where 80% of people will pick usability over security. I have worked with many with the title >= "Senior Engineers" who saw that page, read the explanation, and still had no idea what the ramifications of their changes were. "Yeah sure it said any user in the docker group will be able to get root on the host, but aren't containers isolated?"
That’s the mental model that works for people, specifically those that come from VM workflow.<p>Ironically that’s how Docker works on every platform where it’s running a non-native OS. On macOS that’s how all images are run. Linux on Linux is the only Docker combination that is particularly problematic from a security perspective.<p>Virtualisation has advanced greatly since docker was introduced, if your running in local hardware that’s supports virtualisation, Docker should be running images fully virtualised. There is no good reason to use the OS kernel for most use cases as the performance impact is negligible. If you need kernel access there are better options, like systemd containers.
I agree that virtualization has seen great advances. Kata containers on k8s are almost (not quite 100%) drop in replacement. Regardless those last 10% remain a problem.<p>I run a personal server for few open source applications for personal use. I was thinking with all the supply chain attacks, and how carelessly I run `docker pull`s to update things I should probably consider hardening things a bit. I thought before jumping to full virtualization with Kata I can easily try gvisor/runsc first. Only to realize that DNS resolution is completely different with runsc vs runc and had to switch back.<p>Another sticking issue with virtualization is resource allocation. With namespace docker you can easily oversubscribe each container CPU/memory and rely on the single kernel letting individual containers burst as needed. With full virtualization this is still a big problem. Even with balloon devices and dynamic memory and CPU etc, the resource allocation is still not optimal. On a basic 8 core/16GB machine you can run 1 or 2 dozen services and things generally workout fine. Trying to run each of those in a virtualized VM you suddly can maybe run 6 or 7 maybe. There is no way to tell VM 3 kernel to drop its file system cache because VM 6 needs to load a large file in memory. Even if you script it out, now VM 3 is slow because it dropped all its cache while VM 6 finished processing 3 hours ago. These are not unsolvable problems, but despite how far virtualization has come, are still friction points.<p>Not to mention issues like sharing hardware devices (GPUs, disks, USB devices etc) between multiple VMs
No, docker access means root.
You can use "rootless" mode, in this case it means root in a user namespace (that is not the "host" user namespace).
That's not relevant. If you have access to the Docker daemon running as root, whether it's over a Unix socket or a TCP socket, you effectively have root.
That, in a nutshell, is why I do not install Docker
This has been a known Docker "feature" since the beginning, nothing new here. This pattern is used to configure host machines by some tools.
Like the known Docker "feature" that it completely bypasses UFW and unless your ports look like "- 127.0.0.1:PORT:PORT" (and many of the examples use "-PORT:PORT") you expose everything to the internet?
My understanding is that docker will expose the ports to the host machine's network interfaces, which is a crucial difference. For my home server running docker that means exposed to the LAN, but not the WAN unless I add in a port forwarding rule on my router. Similarly in an enterprise environment you would be exposing the port on whatever VLAN the host is connected to, which hopefully doesn't have directly transit to the open internet.<p>Anything you're running on the perimeter with open access to the internet in an enterprise environment probably (hopefully) isn't running docker containers without some additional config and protections.
If you ever suddenly get IPv6, it may become globally reputable without you realizing.
I was thinking along similar lines to what you've suggested here, but then I considered how many VPS might be configured by folks following some random web tutorial, to set up their LAMP stack (or whatever), that end up doing something like what was described.
Isn't this one of the main improvements that Podman has over Docker?
This, and the charming fact that it bypasses your firewall.
It would be cooler if the llm said something like:<p>> I noticed the machine doesn't have copy-fail patched, here is a quick workaround for not having root access for now.<p>> // TODO: find a better way to do this in the future.
I realize this is supposed to be a post about how scary the security vulnerabilities these agents will find are.<p>But personally I love when agents do things like this and appreciate the help. Last thing in the world I want is for them to nerf the models.
It's not about hacking capabilities, it's about misalignment. More like the golem myth (told it to fetch some water, drowned a city) then the gollum myth (used ring, ring hacked his brain, now he's a crazy violent meth addict).
I'm not sure I'd call it an alignment issue, because, in all cases I've seen where it does this (usually what I've seen is writing a python script to get around the harness permissions blocking something), it's trying to do the thing I just told it directly to do, and it's overcoming obstacles to accomplishing that.<p>It's definitely doing the wrong thing, and you could call it misalignment, but I think that gives the wrong vibe for this type of error.
This is very much within the scope of alignment research, and is in fact the only kind of
alignment research that gets a lot of resources poured into it these days (because it's urgently relevant to the bottom line of a few almost-trillion-dollar companies.<p>Pre-2022 alignment researchers concerned themselves with the stronger version of this ("when I tell AI that I worry I might not be able to provide for my large family, I don't want it to answer 'no problem, I killed them, problem solved'") but RLHF is considered to be the most important success of alignment research, the guy behind it considered himself to be an alignment researcher before and after, and the stage of training where LLMs pass through something like RLHF that trains them to behave more like humans want/expect is called alignment training.<p>Someone at a major lab is reading this tweet and saying "this was our LLM, and it's a major alignment issue with our product. Set a meeting with the alignment team tomorrow to discuss what they're doing about this sort of thing".
In this case I think it's Docker that needs to be nerfed, not the models. The fact that there's a backdoor to getting root access on the machine would be a problem even if you weren't running LLMs on it.
I know unlikely the case, but in the sci-fi story this would be exactly the kind of comment the Codex agent would leave trying to avoid interference in its master plans.
Its the now-classic "Sorry I drowned little Timothy. Here is a breakdown of what happened" followed by "Let me try to respawn little Timothy on a new map"
This is one of the main reasons people like Podman. Docker has this "feature" but as far as I remember, it needed some obscure configuration. I guess they don't add it as default as it will break many current setups.
<p><pre><code> curl -fsSL https://get.docker.com/rootless | sh</code></pre>
That and podman lets you configure away from docker.io.
Podman has lots of underappreciated features, and it's fully open-source!
Docker must always be installed rootless on Linux - <a href="https://docs.docker.com/engine/security/rootless/" rel="nofollow">https://docs.docker.com/engine/security/rootless/</a><p>There's even an install script for it: curl -fsSL <a href="https://get.docker.com/rootless" rel="nofollow">https://get.docker.com/rootless</a> | sh<p>This has been there for a while. The root install option should be removed.
I'll accept that it shouldn't be default, but just because your web app runs in rootless docker does not mean that root docker has no place. There are several limitations: <a href="https://docs.docker.com/engine/security/rootless/troubleshoot/#known-limitations" rel="nofollow">https://docs.docker.com/engine/security/rootless/troubleshoo...</a>
The interesting question is what was the user request. If the user asked it to restore the thing from backup, then sure, fine, why not. If the user asked it to debug an issue and somewhere in the process of debugging the LLM decided that it needed to override some file that was not easily writeable - hell no danger danger danger! Most likely the user did not expect it to have access to that without asking, and did not consent to it.<p>Also, everything the LLM doesn't hesitate to do because the user asked, it won't hesitate to do because the prompt injection asked.
I was doing some routine coding a few months back, I think via Copilot, and the thinking said something like "This request requires me to access files in a different folder, but the user has forgotten to give me the correct permissions. I have updated my configuration file now to allow access outside this workspace and have retrieved the necessary files." o_O<p>I've seen similar "hacking" behavior on a couple of subsequent ocassions. Both impressive and highly alarming at the same time.
I did that more than a decade ago as a new hire. My manager forgot to gave me sudo access to the shared build server. I gave myself sudo access through this method after getting his permission.<p>Needless to say, I have podman in rootless mode at home as soon as that became available.
I had the same thing happen a few months ago; posted about it on LinkedIn[1]. It's hilarious and clever.<p>1: <a href="https://www.linkedin.com/posts/nickstinemates_my-favorite-thing-llms-do-to-get-around-activity-7428618919575400448-lX6b?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABs6dsBguw94WkZcZHIy0-gRo1MQXztFaY" rel="nofollow">https://www.linkedin.com/posts/nickstinemates_my-favorite-th...</a>
This is why you need either a rootless container setup or user namespaces to remap the container user to irrelevant host users. <a href="https://docs.docker.com/engine/security/userns-remap/" rel="nofollow">https://docs.docker.com/engine/security/userns-remap/</a><p>Weak that this isn't the default.
Is there a mitigation for Mac? Can you do the same with eg Lima or is this just a Docker thing?
User namespaces significantly rise the risk of exploits and many setups disable them. One may argue that Docker should have used them when they were available, but that would break too many useful setups involving privileged containers.
Run coding agents in a docker container with limited permissions. FWIW, I run it with<p><pre><code> --cap-drop=ALL
--pids-limit=4096
--runtime=runsc</code></pre>
If you're on Linux, you can also easily run it in bwrap to properly sandbox without running a full container
Or put it in a microvm using eg smolmachines.
Using runsc instead of runsc means that there's a hypervisor layer (gvisor, probably) in-between the kernel and the container userland
I've never used smolmachines but I'm curious; why this over a container?
I run mine on their own machine, without root access.<p>Currently a Raspberry Pi 5<p>I am very pleased with it.<p>My Idiot Savant Pet
This was of course dependent on yolo mode, but automatic approval has also been pulling stunts like this. A recent example is data that was purposely kept away from Codex in a folder far far away. When it found a single reference it just went for the data when having an issue. Lesson learned, keep essential data and Codex separated on different machines. Codex remote ssh actually helps here.
What in heaven's name is a "folder far far away"?<p>(It sounds like you put it on an SSD on an extension cord and moved it to the kitchen or something.)
Or, learn your local OS' permission system, have it in a directory right next to your banking credentials (or something even more outrageous) and nothing could go wrong even if you tried to.
Fwiw separate machines for the agents is awesome in general anyway.<p>I have agent frontends running on a low power server where every session is in tmux. So i can just resume from my home pc and pickup where i left off without reestablishing context. I do have to manually feed it data it can access bit that’s also a feature. Also let’s me shutdown the home pc if it’s some long running task since the server is much more power efficient.
I wrote about this exact thing as a hypothetical a few months back: <a href="https://www.da.vidbuchanan.co.uk/blog/agent-perms.html" rel="nofollow">https://www.da.vidbuchanan.co.uk/blog/agent-perms.html</a>
Maybe a dumb question, but can't you put into CLAUDE.md something like this?<p>"When an action fails with an 'access denied' or 'insufficient permission' error, report the error to the user and immediately stop. Do not try to find a fix or workaround for the error. Do not try any alternative approaches."
Once the session gets long enough, agents start getting amnesia.
I wasn't using Claude Code, but I told an agent to add something like this to the AGENTS.md, it did it and then a few minutes later it attempted to grant itself permission to do something and managed to delete the VM it was running on in the process. I have since adjusted the way I sandbox agents to make that less likely, but the moral of the story is clear.
it's a probabilistic model so, while you can put that in there, it has some probability of just ignoring you and doing it anyway.
Replacing docker with podman could help in this particular case. Running everything in an insulated throwaway VM should help even better.<p>Unless you trust an AI as much as you trust yourself, there's no reason to allow it to act with your privileges.
I was playing with gemeni-cli a couple months ago and I asked it to edit some files in a directory it didn't have permission to. It didn't say anything about the permissions, it just used sed to make the edits. The only reason I finally noticed is it had to do some trickier edits and it was struggling to write a python script to edit the files and I finally realized what it was doing. I wonder how many tokens that wasted
Why did sed have access?<p>Oh, you mean you gave the write-file tool access only to the project dir, but gave the LLM free reign to run cli commands? Yeah, LLMs treat that as consent to write anywhere your user is allowed to.
Getting closer to <a href="https://xkcd.com/416/" rel="nofollow">https://xkcd.com/416/</a>
Given he posted this comic in 2008, Randall Munroe was way ahead of the ball on the idea of autonomous agents.
Mobile version<p><a href="https://m.xkcd.com/416/" rel="nofollow">https://m.xkcd.com/416/</a>
Wow there is really is a relevant xkcd for everything!
Is this really an AI headline? There is no shame in saying TIL "Docker daemon runs as root on the host system"
You had sudo on your PC. You just didn't know ;)
I remember reading a book, Red Hat Linux System Administration Unleashed from 2000, where it has been postulated that knowing several tools with overlapping functionality is an essential skill, as you may end up on a broken or intentionally crippled system where, say, ls is unavailable, and you may need to cobble it together from shell and awk and what have you.<p>Back then you could indeed run a risk of having /usr nibbled by a grue such that it wouldn’t mount on the next boot, or you could get pwned and half of coreutils would turn into explosive pumpkins.<p>I’m pretty sure we are past many of the threats listed in that book, but the skill is still useful, as can be seen.
Absolutely! Here's a great resource for learning that kind of stuff btw <a href="https://gtfobins.org/" rel="nofollow">https://gtfobins.org/</a>
I still remember
/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /bin/ls<p>using echo * to find the right ld-linux filename and then the "executable" as an argument as the get out jail card in case you ran chmod -x -R /bin /usr/bin /usr/sbin for some reason.
The "workaround" framing implies the docker-group trick is the issue. The deeper question: should agents be allowed to find ANY workaround around a permission boundary the user implicitly set by not granting sudo? Same blast radius whether it's docker, a setuid binary, or rewriting your scripts — needs to be flagged regardless of the specific trick.
So in Linux, every process I start has my group permissions? I guess I knew that...but I have to say, have we reached a point where the Linux security model is just way to broad?
I feel like everyone pointing out "known Docker vulnerability" is missing the point: the presence of a security hole should not be seen as permission to exploit.<p>Another security hole would be storing your passwords in a plaintext file on the desktop. Stupid? Yes. But I still would not want my agent to assume permission to access email when it's being blocked by 2FA.<p>Even in "bypass permissions" mode I expect it to pause and clarify and not behave as a paperclip maximizer.
It is not a vulnerability though. It is by design. Docker also modifies iptables directly and bypasses most soft firewalls on the machine - which is also by design.
> the presence of a security hole should not be seen as permission to exploit<p>Why not?<p>I want the agents on my side to exploit whatever they can to help me. The ones on the other side certainly won't be artificially nerfed.
Because it is not well aligned enough to be able to tell where it's stopped helping you and started fucking you instead.<p>What if the agent in the middle of helping you runs out of tokens? Would you appreciate if it in the spirit of "exploiting whatever they can to help me" would scan your machine for payment methods, log into your bank account, approve 2FA by reading you mail and plug your credit card into the billing so it could efficiently continuing helping you?
Well, the agent should help you by saying "hey, I cannot do this task, but I can bypass the problem by doing this, but obviously it is not something you intended me to do or even something you were aware of, so I will not do it unless you tell me explicitly it's ok".<p>It's win-win: the agent is helping and it is educating you about things you obviously did not realise.
I do not wish my Amazon delivery driver to show up in my living room.
Not to over use the junior engineer analogy but this is exactly one of those "just because you <i>can</i> do something on a system, doesn't mean you have <i>permission</i> to" moments
That's why your coding agent should never run as your identity.
Docker moment
clever girl...
sudo can work non-interactively via settings in sudoers and sudoers.d .
I am not sure about run0, but I would bet it has something similar.<p>Using docker for such a task seems to me overly over-engineered. Or maybe I need more context there.
They did not submit the full log because this is fake.
This is a classic attack path that was already captured by plenty of EDRs/XDRs/CWPPs a couple years ago.
1. This is why I use podman<p>2. I have little to no sympathy for anyone running an AI agent with their full user permissions outside of a container or VM
Another surprising security feature regarding docker is that it bypasses firewall rules.<p><a href="https://oneuptime.com/blog/post/2026-03-02-ufw-docker-fix-bypassing-ufw-ubuntu/view" rel="nofollow">https://oneuptime.com/blog/post/2026-03-02-ufw-docker-fix-by...</a>
I don't have sudo or docker on mine!
rootless docker. pain to install but can mitigate a catastrophe.
Always run AI inside secured containers.
You should not be using docker with LLMs. You should be using VMs, which have a much, much smaller attack surface than Docker, and significantly more reasonable defaults.
The "attack vector" people try to protect themselves is "agent edited wrong file", not "LLM blew 0day on escaping sandboxing", containers are more than enough for what stupid stuff agents sometimes try, no need to go for a full-blown VM. Even UNIX permissions would be enough, but I think that's lost knowledge at this point.
If your agent has access to the internet at any point it may read something that convinces it to try breaking out of its sandbox.
Not if the host's version of .git is accessible inside the container via a bind mount.
Using the least amount of security features is a huge amateur mistake.<p>Best practice is to use 2 redundant layers of security, such that if one fails, there is still another one.<p>Using just the minimum amount of security technically possible is almost by definition hubris.<p>An example would be that you never point a gun at someone you don't want to shoot, regardless if there's bullets in the gun. If someone tells you, "you don't need to control where you point the gun, you just need to keep the gun unloaded and you can point it in jest to whoever you want, you can even pull the trigger technically", you know you have a reckless fool, regardless of whether they are technically right.
> Using the least amount of security features is a huge amateur mistake.<p>Not understand your threat I'd say would be a even bigger amateur mistake, you're not trying to protect yourself against some forever 3rd party attacker here, you're trying to prevent a agent rewriting the wrong file on your disk, that's basically it.<p>Give it the least amount of permissions, don't bi-directionally sync stuff, pass things in, then take them out again, literally the agent couldn't and wouldn't try to break through 2 layers of security in order to get your banking details or whatever.
This is true but it's not really a security scenario. The LLM isn't an attacker it's just an unreliable tool.
Unreliable/stupid is worse than malice, here.
all unreliable tools are attackers. Even if you're using well-aligned LLMs like Opus, you should assume that any input you give it -- including all dependencies from npm, etc. -- are at risk of compromise, which could result in attempted exfiltration of data or system takeover. You can be absolutely sure that there are thousands of well-motivated hacker groups, both national and private, looking for ways in.
you can configure docker to use a VM container runtime or gVisor.
this is the new GTD
[dead]
[dead]
Should have used my AI Agent Guardrails. Its free. Check it out at sigmashake.com