Why docker pull does not ask for password despite the storage path has permissions for root?

I ask this question just for curiosity.

I know that to stop asking for password when using docker command I have to add my user to docker group. Nevertheless, what I would like to know is about docker pull command, since this one stores the docker images in /var/lib/docker (by default) and this path actually has only write permissions for root user.

Output of running the command sudo ls -ld /var/lib/docker:

drwx--x--- 14 root root 4096 Mar 8 01:26 /var/lib/docker

As you can see above, only root user can access and write to the docker folder so my doubt here is why docker pull allows the regular user to download images on that path?

P.S: My current user is not member of root.

The relevant “file” permissions are those of the socket /var/run/docker.sock. Please share the output of ls -l /var/run/docker.sock and id.

The docker cli is just a client that communicates through the docker.sock to the docker engine. The docker engine is always run as root user (unless rootless-docker is used).

So whoever is allowed to access the docker.sock, can control the docker engine.

1 Like

Thanks! That explains a lot! I did not know how docker and docker.sock worked but this helped me a lot.

Btw, the output of ls -ld /var/run/docker.sock is:

srw-rw---- 1 root docker 0 Mar 8 12:14 /var/run/docker.sock

And the output of id (as you can see one of my supplementary groups is docker):

uid=1000(edgar) gid=1000(edgar) groups=1000(edgar),36(kvm),108(libvirt),442(games),452(vboxusers),453(wireshark),464(docker),473(wheel),494(dialout)

The docker group has rw access to docker.sock and therefore that’s the reason why I’m allowed to use docker pull without asking for password

Is there a way to accept an answer in this site? or only likes are possible?

It is not restricted to just docker pull. Bare in mind that only trusted users should be granted access to the docker.sock, as they could use docker to escalate privileges.

As the General Discussion category does not allow marking posts as solutions, I moved the topic to the “DockerEngine” category.

Thanks again! I’ve accepted now your answer!

So all docker commands (such as docker ps, docker run, etc) use this docker socket (the docker client in general).

Regarding:

Bear in mind that only trusted users should be granted access to the docker.sock, as they could use docker to escalate privileges.

What should be another safe way to run docker containers? using directly sudo? or using docker rootless, I’ve read about the last one but I do know if it is still in experimental mode or if it is recommended to use it.
Any links/resources are appreciated if this topic requires a detailed explanation.

I didn’t say it’s safer or unsafer to grant unprivileged users access to the docker.sock. The message is: whoever has access can easily mount /etc/groups into a container and themselves to a group. Adding users to docker group is more convenient and therefore often used in development or homelab environments.

General rule of thumb: do not give untrusted users access to your docker.sock.

This old post of mine might give you an idea: Prohibit access to the inside of the container - #2 by meyay.

1 Like

Oh, nice. This is so helpful! Specially the example about mounting /etc/groups helped me to understand better the message about the possible risks of granting access to un-trusted users to docker.sock.
Thanks for your time!