From 2a8f833d65e64b893e7a66ae3cbd43b5670841c6 Mon Sep 17 00:00:00 2001
From: Chris Sherwood <chris@crosstalksolutions.com>
Date: Fri, 13 Mar 2026 20:07:26 -0700
Subject: [PATCH] fix(security): disable Dozzle web shell access
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dozzle's DOZZLE_ENABLE_SHELL=true on an unauthenticated port allows
anyone on the LAN to open a shell into containers, including nomad_admin
which has the Docker socket mounted — creating a path to host root.

Disables shell access while keeping log viewing and container actions
(restart/stop) enabled.

Closes #278

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 install/management_compose.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/management_compose.yaml b/install/management_compose.yaml
index b1b17d1..efa9725 100644
--- a/install/management_compose.yaml
+++ b/install/management_compose.yaml
@@ -52,7 +52,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
     environment:
       - DOZZLE_ENABLE_ACTIONS=true # Enables the action buttons (restart, stop, etc.)
-      - DOZZLE_ENABLE_SHELL=true  # Enables web-based shell access
+      - DOZZLE_ENABLE_SHELL=false  # Disabled — shell access + Docker socket = privilege escalation
   mysql:
     image: mysql:8.0
     container_name: nomad_mysql