a program that runs as root
Does it have to run as root? It’s common to run Docker in rootless mode in production environments.
Comment on My Favorite Self-Hosted Apps Launched in 2025
Pika@sh.itjust.works 4 days agoman, arcane looks amazing, I ended up deciding off it though as their pull requests look like they use copilot for the main production of code for new features. Not that I personally have an issue with this but, I’ve seen enough issues where copilot or various AI agents add security vulnerabilities by mistake and they aren’t caught, so I would rather stray away from those types of projects at least until that issue becomes less common/frequent.
For something as detrimental as a management console to a program that runs as root on base systems, I would not want such a program having security vulnerabilities.
dan@upvote.au 4 days ago
Pika@sh.itjust.works 4 days ago
while docker does have a non-root installer, the default installer for docker is docker as root, containers as non-root, but since in order to manage docker as a whole it would need access to the socket, if docker has root the container by extension has root.
So if docker was installed in a root-less environment then a compromised manager container would only compromise everything on that docker system, which still isn’t great but not as bad full root access.
nublug@piefed.blahaj.zone 4 days ago
ugh well that sucks butt. i’ll be trying new alternatives tonight i guess lol
any recommendations?
Zeoic@lemmy.world 4 days ago
I switched from Portainer to Dockge to Komodo. Been very happy with komodo so far
uninvitedguest@piefed.ca 4 days ago
Dockge?
Pika@sh.itjust.works 4 days ago
Sadly no recommendations, I still use portainer myself
MangoPenguin@lemmy.blahaj.zone 3 days ago
I wouldn’t be exposing any management consoles to the internet either way, too much risk with something that has docker socket access.
Pika@sh.itjust.works 3 days ago
fully agree, mine isnt accessible to the outside world either but, you never know if something gets missed. would rather not open up that risk