fix: restrict docker commands for ai-worker (SUPERSEDED by PR #65) #64

Closed

Hermes wants to merge 1 commits from feat/restrict-docker-commands-for-ai-worker into master

pull from: feat/restrict-docker-commands-for-ai-worker

merge into: gortium:master

gortium:master

gortium:feat/worldmonitor

gortium:feat/ups-config

gortium:feat/rollback-sentinel-on-fresh-branch

gortium:fix/honcho-vector-dim-empty

gortium:fix/backup-submodule-update

gortium:feat/restrict-docker-blacklist

gortium:fix/hermes-matrix-deps-venv-persist

gortium:feat/uconsole-cm5-v3

gortium:fix/update-compose-submodule-matrix-bridge

gortium:feat/nix-deployment-v2

gortium:kvm-pr

gortium:feat/nixos-ci-workflow

gortium:kvm-pr-consolidate

gortium:feat/hermes-workspace-combined

gortium:feat/hyperspace-pods-module

gortium:feat/hermes-workspace

gortium:feat/hermes-workers

gortium:feat/add-paperclip-agent-orchestrator

gortium:feat/syncthing-org-sync

gortium:fix/vpn-iptables-nft-v3

gortium:fix/vpn-iptables-nft-v2

gortium:fix/vpn-iptables-nft-upstream

gortium:feat/nixos-ci

gortium:feat/update-compose-submodule-custom-tools

gortium:feat/kvm-libvirt

gortium:fix/wg-easy-iptables-nft

gortium:feat/compose-submodule-v2

gortium:feat/hermes-fork-dockerfile

gortium:ai-worker-restricted-access

gortium:feat/wireguard-vpn

gortium:feat/k3s-pod-cluster

gortium:feature/server-hardening-clean

gortium:docs/merge-priority-order

gortium:feat/hermes-voice-gpu-support

gortium:feat/uconsole-cm5-v2

gortium:fix/matrix-bridge-v2

gortium:fix/backup-network-v2

gortium:feat/docker-add-qemu-cross-compilation

gortium:feat/docker-add-latex-stack

gortium:feat/docker-add-chromium-browser-deps

gortium:feat/docker-add-curl-poppler-imagemagick

gortium:feat/add-uconsole-host

gortium:home_manager

Conversation 0 Commits 1 Files Changed 3 +208 -68

Hermes commented 2026-05-21 00:34:30 +00:00

Collaborator

Copy Link

Security Fix: Remove ai-worker from docker group

Problem

The ai-worker user was a member of the docker group, giving unrestricted access to the Docker daemon. This allowed any docker command, including:

• docker exec — execute arbitrary commands inside running containers (file modification)
• docker cp — copy files between containers and host
• docker run -v /:/host alpine — full host filesystem escape
• docker commit — create images from running containers (data exfiltration)

An agent using ai-worker SSH access was able to generate a Gitea admin token via docker exec -u git gitea gitea admin user generate-access-token -u gortium, bypassing permission controls.

Solution

• Removed extraGroups = ["docker"] from ai-worker
• Added comprehensive sudo NOPASSWD whitelist for only safe docker subcommands

Allowed (via sudo)

docker ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls

Blocked (implicitly — not in sudo whitelist)

docker exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create

Impact

• All existing docker commands in Hermes agent's host_run must now be prefixed with sudo
• Ollama benchmarking via HTTP API (not docker exec) is unaffected
• CI/CD workflows using docker compose are still functional (compose is allowed)
• NixOS rebuild via nh or nixos-rebuild remains blocked (no sudo for those commands)

Files Modified

• users/ai-worker.nix — new sudo whitelist
• modules/nixos/security/ai-worker-restricted.nix — updated comments
• modules/nixos/security/README-ai-worker.md — updated documentation

Closes security incident where agent created Gitea admin token via docker exec.

## Security Fix: Remove ai-worker from docker group ### Problem The `ai-worker` user was a member of the `docker` group, giving **unrestricted** access to the Docker daemon. This allowed any docker command, including: - `docker exec` — execute arbitrary commands inside running containers (file modification) - `docker cp` — copy files between containers and host - `docker run -v /:/host alpine` — full host filesystem escape - `docker commit` — create images from running containers (data exfiltration) An agent using ai-worker SSH access was able to generate a Gitea admin token via `docker exec -u git gitea gitea admin user generate-access-token -u gortium`, bypassing permission controls. ### Solution - **Removed** `extraGroups = ["docker"]` from ai-worker - **Added** comprehensive sudo NOPASSWD whitelist for only safe docker subcommands ### Allowed (via sudo) `docker ps`, `inspect`, `logs`, `images`, `info`, `version`, `stats`, `start`, `stop`, `restart`, `rm`, `rmi`, `wait`, `pull`, `build`, `run`, `compose`, `system`, `network ls`, `volume ls` ### Blocked (implicitly — not in sudo whitelist) `docker exec`, `cp`, `commit`, `diff`, `export`, `import`, `load`, `save`, `attach`, `push`, `tag`, `create`, `plugin`, `network create`, `volume create` ### Impact - All existing docker commands in Hermes agent's `host_run` must now be prefixed with `sudo` - Ollama benchmarking via HTTP API (not docker exec) is unaffected - CI/CD workflows using `docker compose` are still functional (compose is allowed) - NixOS rebuild via `nh` or `nixos-rebuild` remains blocked (no sudo for those commands) ### Files Modified - `users/ai-worker.nix` — new sudo whitelist - `modules/nixos/security/ai-worker-restricted.nix` — updated comments - `modules/nixos/security/README-ai-worker.md` — updated documentation Closes security incident where agent created Gitea admin token via docker exec.

Hermes added 1 commit 2026-05-21 00:34:31 +00:00

fix: restrict docker commands for ai-worker user ... 9459839d74

Remove ai-worker from docker group and enforce sudo whitelist.

SECURITY: Being in the docker group gives unrestricted access to the
Docker daemon socket (/var/run/docker.sock), allowing any docker command:
docker exec, docker cp, docker run -v /:/host, docker commit, etc.

Changes:
- Remove extraGroups = ["docker"] from ai-worker user definition
- Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands
  ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop,
  restart, rm, rmi, wait, pull, build, run, compose, system,
  network ls, volume ls
  BLOCKED (implicitly): exec, cp, commit, diff, export, import, load,
  save, attach, push, tag, create, plugin, network create, volume create
- Update ai-worker-restricted.nix module to reflect new approach
- Update README-ai-worker.md with new security model and examples

All docker commands must now be prefixed with sudo.
The Hermes agent's host_run tool needs to be updated to prepend sudo.

Hermes changed title from fix: restrict docker commands for ai-worker user (remove docker group, enforce sudo whitelist) to fix: restrict docker commands for ai-worker (SUPERSEDED by PR #65) 2026-05-21 00:42:51 +00:00

Hermes closed this pull request 2026-05-21 00:42:51 +00:00

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#64

No description provided.