By default, we can't use docker as non-root user. Have you ever wonder why?
Docker has the ability to change the group ownership of the /run/docker.socket to have group permission of 660, with the group ownership the docker group. This would allow users added to the docker group to be able to run docker containers without having to execute sudo to become root. 🚨
Here's the default permission for docker socket:
ls -l /var/run/docker.sock
srw-rw----. 1 root docker 0 Feb 3 13:02 /var/run/docker.sock
Here's a secured docker socket configuration:
ls -l /var/run/docker.sock
srw-rw----. 1 root root 0 Feb 3 13:02 /var/run/docker.sock
Why? Simple: if a user can talk to the docker socket, they can execute the following command to gain full root access to the host system.
docker run -ti --privileged -v /:/host fedora chroot /host
Similarly, the below sudo config will give full root access to the host system to non-root user (xx).
grep xx /etc/sudoers
xx ALL=(ALL) NOPASSWD: ALL
This will effectively allow a non-root user to run sudo sh and get the full root access to the host system.
There are 2 ways to secure the host: one with sudo (which provide logging and audit) and one with lock down of docker socket permission (no auditing and events will disappear when docker daemon restarts).
Setting up sudo
Add an entry like the following to /etc/sudoers.
grep xx /etc/sudoers
xx ALL=(ALL) NOPASSWD: /usr/bin/docker
This will allow the specified user (xx) to run docker as root, without a password. Nest setup an alias for running the docker command:
alias docker="sudo /usr/bin/docker"
Now whne the user executes the docker command as non-root, it will be allowed and get proper logging.
docker run -ti --privileged -v /:/host fedora chroot /host
And loog at the journal or /var/log/messages.
journalctl -b | grep docker.*privileged
Feb 04 09:02:56 dhcp-10-19-62-196.boston.devel.redhat.com sudo[23422]: xx : TTY=pts/3 ; PWD=/home/xx/docker ; USER=root ; COMMAND=/usr/bin/docker run -ti --privileged -v /:/host fedora chroot /host
Links: