I am a Project Director, who needs my team to work with docker. However, we found non-root users can use docker containers as root user, which means they can access some important file mounted in container.
How to solve this question?
–user option is definately useless, as everyone can choose not to use it !
The normal docker engine runs as daemon with root permissions. If unprivileged users are granted access to the docker.sock, they can effectively use docker for permission escalation. It should be no surprise, as it is mentioned in the documentation.
You might want to look at this topic for further ideas:
Sorry to bother after such a long time. I still want to know is there any way that recognizes and let the non-root users still be at the non-root status, even though they have access the docker.sock?
For example, non-root user A uses docker. However, docker daemon recognizes it and converts all the root movements it performed in the container into a non-root movements.
Allowing unprivileged users access to the docker.sock basicly allows them to use the docker client to send commands to the docker engine. As already stated, the docker engine always runs as root. You could probably leverage OpenPolicyAgent to enforce the --user argument being present and have an id > 0. Though, instead, you might want to take a look at rootless mode
If you really want untrusted user to run arbitrary workloads on your machines: use kubernetes and use a policy engine like OpenPolicyAgent or Kyverno and be good.