Batten down the patches: New vuln found in Docker container tech More security woes plagued users of the Docker application containerization tech for Linux this week, after an earlier security patch was found to have introduced a brand-new critical vulnerability in the software. The Docker 1.3.2 update, which was released in November to address critical bugs that could be exploited by an …
This is what happens when security is not designed in from the start.
Add in the systemd monolith running in PID1 and you have security breaches on an epic scale simply waiting to happeN.
Linux had better get their house in order if they don't want to be seen as a bigger joke than they already are.
If you thought Heartbleed was bad, you haven't seen anything yet...
This troll is correct. Systemd is relevant here; Docker is driving a lot of the buzz around it. And these Docker vulns, W-T-F... these aren't arcane virtualization issues, these are just stupid Unix tricks biting these guys in the ass. (Judging by what I read, anyway... I don't actually *use* any of this shite.)
@tnovelli - "This troll is correct. Systemd is relevant here"
No. There is a lot of buzz around systemd integration with Docker, but Docker works just fine on Ubuntu under upstart and on other non-systemd systems (Slackware and Gentoo for example). Upstart seems to handle automatic starting and restarting of containers similar to systemd. I wouldn't move to a distro running systemd just to use Docker.
"Linux had better get their house in order if they don't want to be seen as a bigger joke than they already are."
Quite. It still uses fundamentally insecure approaches like SUDO instead of proper constrained delegation. Having your security functionality dependent on what file system version your OS lives on LOL? It's out of the dark ages. Linux should take a look at the Windows security model which is in general vastly superior to the Linux one and take a similar approach.
Having your security functionality dependent on what file system version your OS lives on LOL?
So how is that not the case elsewhere? You will have a hard time enforcing ACLs on a drive formatted with some derivative of FAT (current examples include most thumb drives), even if you are using Windows. Sure, it would be better to bake encryption into Docker containers, and yes, Windows might offer some examples of a valid direction in which to proceed, but I would not be anxious to recreate the oft-confused difference between granting rights on a network share and rights to the contents of the share.
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
