Mount home dir in VM with 777

[tudborg]

I'm using volumes to persist db data, and i need the images to be able to write to the mounted shared folders.

Since changing ownership inside the container is impossible, allowing everyone to write is afaik the next-best solution.

[julien-duponchelle]

Perphas we should expose a dedicated folder instead of home directory.

[tudborg]

As of now, the default behavior is mounting the home directory.
I simply changed the mount options to allow other users in the vm to write to it (otherwise, only vagrant:vagrant is rw)

In my use case i need write access to my project folder, so mounting another volume would not solve it for me,

but i do agree that giving access to the entire ~ is a bit crude. I keep all my projects in ~/src/<project_name>, so providing an option to just mounting the path that i need would be a great addition.

If that is what you are suggesting(?) i'm up for implementing it.

[julien-duponchelle]

Yeah i think it will be more secure.

@bfirsh what did you think about that?

[tudborg]

For security, i don't really see any different from the existing docker-osx.

The VM already has full access to the shared folder, so my changes won't really affect security in the VM. It will however allow you to write to an attached docker volume from inside a container (if it is mounted as rw) just as if you had mounted it with docker without a VM in the middle. This moves security to your docker usage, just as if you where using docker without a VM.

I am assuming that the goal of docker-osx is to provide a close-as-possible docker experience?

What i suggested was simple to - in addition to the pull request - implement a docker-osx feature allowing users to mount only the required paths, but still in the full rw mode, so it resembles native docker experience a bit more.

[julien-duponchelle]

I'm not concerned about security bug, more about a bad comportement in container with the risk of deleting my personal photos. :P Yeah i agree with you about the addition of the setting.

[tudborg]

Haha, yes i can see how that would be an issue :p

Although for that to happen, you would still have to give the container access to your photos.

So something like

docker -d -v ~/Photos:/data:rw malicious/image:latest

And then have the container do some malicious things to the /data path where all your photos are mounted.

If you are afraid of that, you can simple mount it in the container as read-only:

docker -d -v ~/Photos:/data:r malicious/image:latest

And everything would be fine, your images are safe, but the container can still read them.

My point here is that this is how docker works, and if you explicitly give a container access to data that it should not have access to (why would you mount your photos in a container anyway, right?) then bad things might happen :)

[julien-duponchelle]

Yeah if i'm stupid you should punish me and destroy my data :P

[tudborg]

Wouldn't put it that way ;)

For the paranoid, we'll just implement a feature to only mount the folders you need in the VM. I can start working on that right away.

Still think the default should be to mount home though, since a nice feature of docker-osx is that it "just works" out of the box.

[aanand]

@noplay Don't I run the exact same security risk if I'm running Docker on my Linux laptop? I don't see why docker-osx has to be any more cautious.

[tudborg]

@aanand Exactly my point :) There is no additional risk added.

[tslater]

agreed.

[tudborg]

Could anyone merge or reject this?

[bfirsh]

Thanks!