• 1 Post
  • 24 Comments
Joined 1 year ago
cake
Cake day: October 8th, 2023

help-circle












  • Don’t get me wrong, I am fully aware that you need to reduce as much as possible the amount of access something has but as you said:

    you should never have permissions to things you don’t need

    well Cosmos needs to see your files if you want Cosmos to manage your files. It’s that simple. By default its on because it is needed for Cosmos to function. You can remove it, but at the expense of some of the functionalities of the server.

    By the way Cosmos, as a Docker management software, has access to your docker socket. Which mean, you can remove anything you want from the container, technically, it can add it back itself. Having access to the socket means being able to manage the containers, including itself. In other words, having this mount in the docker run command is just a comfort thing, but in term of privilege, whether it’s Cosmos or Portainer or any other docker manager, they have full root access to your system and that’s unavoidable.

    why not have -v /CasaFolder:/mnt/host or something similar

    Because it would require users to always update their Cosmos containers to add additional folders all the time, giving a terrible and very error prone user experience.

    If there is a solution out there, that solves that problem (as in allows Cosmos to continue to work the same without that mount) then I will gladly implement it. But as far as I can see there isn’t such solution





  • Cosmos is a fully fledged server management platform, as such it requires those access to the host server in order to operate.

    “–privileged -v /:/mnt/host” is not as bad of a thing as you would think in that context, in fact it is equivalent to running a daemon like you would with any other alternative (CasaOS, Umbrel, etc…) those are just requirement for Cosmos to run with the same level of exposure as those alternatives who are not docker containers.

    My only alternative would have been to make Cosmos a daemon and not a container, but then it would make install and maintenance harder

    I understand your point, and yes ideally it would run as an isolated container, but it’s just not possible to have a supervisor software managing your server running in an isolated container with no container, it is contradictory

    I propose as alternative to run Cosmos with lower privilege, in which case some features will not work but the default is to run cosmos with the privileges it requires for all features to work as expected.

    And the bottom line, the security benefits behind Cosmos for your average home-server outweigh by far this “–privileged -v /:/mnt/host”. Slight reminder than a very large portion of people running alternatives like Casa, Umbrel, etc… Also expose those root daemon without even HTTPS or anything!