Giving your containers a root canal
Straight from the Docker documentation, you will find that “The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.”
The documentation then proceeds to instruct you to add your user to the docker group in order to use Docker without using sudo. That sounds great, right? Well, the thing is, the docker group grants privileges equivalent to the root user. This can have dire consequences. For instance, any location on your host filesystem can be mounted into the container – and I do mean any! This even includes the / (root) directory and the container can then alter your host filesystem without any restrictions. There are several other security vulnerabilities that are a direct result of this architecture, but you get the picture.
What’s different about Podman is...
