github-mirror/project-nomad
1
0
Fork 0
mirror of https://github.com/Crosstalk-Solutions/project-nomad.git synced 2026-03-28 03:29:25 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(security): disable Dozzle web shell access

Browse Source 
Dozzle's DOZZLE_ENABLE_SHELL=true on an unauthenticated port allows
anyone on the LAN to open a shell into containers, including nomad_admin
which has the Docker socket mounted — creating a path to host root.

Disables shell access while keeping log viewing and container actions
(restart/stop) enabled.

Closes #278

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Chris Sherwood 2026-03-13 20:07:26 -07:00 committed by Jake Turner
parent 6a737ed83f
commit bd642ac1e8
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
install/management_compose.yaml
View File

@ -52,7 +52,7 @@ services:
- /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
environment:
- DOZZLE_ENABLE_ACTIONS=true # Enables the action buttons (restart, stop, etc.)
- DOZZLE_ENABLE_SHELL=true # Enables web-based shell access
- DOZZLE_ENABLE_SHELL=false # Disabled — shell access + Docker socket = privilege escalation
mysql:
image: mysql:8.0
container_name: nomad_mysql