Security concerns about act runners

Hello, someone raised a security concern about the binding of docker.sock in a Github issue. Supposedly, it can be solved by using gitea/act_runner:latest-dind-rootless.

However, in the act runner deployment examples, the DIND example is ran with privileged: true. Isn’t this also a security risk?

Should I be worried about using runners on a machine?

I was wondering the same thing.

Did you manage to run the runner with the rootless image, as mentioned in the ‘deployment examples’ link that you shared? Because I had some trouble getting that set-up and had to fall back to the ‘root’ image.

Luckily it’s just my private instance, and not a production environment, otherwise this wouldn’t really be acceptable.

I can’t answer that. I have the same use case and use the root image.

privileged: true

is a requirement for DIND, but it will not give special permissions to job container.