fix(security): disable Dozzle web shell access

chriscrosstalk · claude · jakeaturner · commit 2a8f833d65e6 · 2026-03-19T23:19:17.000Z
Dozzle's DOZZLE_ENABLE_SHELL=true on an unauthenticated port allows anyone on the LAN to open a shell into containers, including nomad_admin which has the Docker socket mounted — creating a path to host root. Disables shell access while keeping log viewing and container actions (restart/stop) enabled. Closes #278 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/install/management_compose.yaml b/install/management_compose.yaml
@@ -52,7 +52,7 @@ services:
       - /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
     environment:
       - DOZZLE_ENABLE_ACTIONS=true # Enables the action buttons (restart, stop, etc.)
-      - DOZZLE_ENABLE_SHELL=true  # Enables web-based shell access
+      - DOZZLE_ENABLE_SHELL=false  # Disabled — shell access + Docker socket = privilege escalation
   mysql:
     image: mysql:8.0
     container_name: nomad_mysql
