I know that to stop asking for password when using docker command I have to add my user to docker group. Nevertheless, what I would like to know is about docker pull command, since this one stores the docker images in /var/lib/docker (by default) and this path actually has only write permissions for root user.
Output of running the command sudo ls -ld /var/lib/docker:
drwx--x--- 14 root root 4096 Mar 8 01:26 /var/lib/docker
As you can see above, only root user can access and write to the docker folder so my doubt here is why docker pull allows the regular user to download images on that path?
So all docker commands (such as docker ps, docker run, etc) use this docker socket (the docker client in general).
Bear in mind that only trusted users should be granted access to the docker.sock, as they could use docker to escalate privileges.
What should be another safe way to run docker containers? using directly sudo? or using docker rootless, I’ve read about the last one but I do know if it is still in experimental mode or if it is recommended to use it.
Any links/resources are appreciated if this topic requires a detailed explanation.
I didn’t say it’s safer or unsafer to grant unprivileged users access to the docker.sock. The message is: whoever has access can easily mount /etc/groups into a container and themselves to a group. Adding users to docker group is more convenient and therefore often used in development or homelab environments.
General rule of thumb: do not give untrusted users access to your docker.sock.
Oh, nice. This is so helpful! Specially the example about mounting /etc/groups helped me to understand better the message about the possible risks of granting access to un-trusted users to docker.sock.
Thanks for your time!