I know that to stop asking for password when using docker command I have to add my user to docker group. Nevertheless, what I would like to know is about docker pull command, since this one stores the docker images in /var/lib/docker (by default) and this path actually has only write permissions for root user.
Output of running the command sudo ls -ld /var/lib/docker:
drwx--x--- 14 root root 4096 Mar 8 01:26 /var/lib/docker
As you can see above, only root user can access and write to the docker folder so my doubt here is why docker pull allows the regular user to download images on that path?
The relevant “file” permissions are those of the socket /var/run/docker.sock. Please share the output of ls -l /var/run/docker.sock and id.
The docker cli is just a client that communicates through the docker.sock to the docker engine. The docker engine is always run as root user (unless rootless-docker is used).
So whoever is allowed to access the docker.sock, can control the docker engine.
It is not restricted to just docker pull. Bare in mind that only trusted users should be granted access to the docker.sock, as they could use docker to escalate privileges.
As the General Discussion category does not allow marking posts as solutions, I moved the topic to the “DockerEngine” category.
So all docker commands (such as docker ps, docker run, etc) use this docker socket (the docker client in general).
Regarding:
Bear in mind that only trusted users should be granted access to the docker.sock, as they could use docker to escalate privileges.
What should be another safe way to run docker containers? using directly sudo? or using docker rootless, I’ve read about the last one but I do know if it is still in experimental mode or if it is recommended to use it.
Any links/resources are appreciated if this topic requires a detailed explanation.
I didn’t say it’s safer or unsafer to grant unprivileged users access to the docker.sock. The message is: whoever has access can easily mount /etc/groups into a container and themselves to a group. Adding users to docker group is more convenient and therefore often used in development or homelab environments.
General rule of thumb: do not give untrusted users access to your docker.sock.
Oh, nice. This is so helpful! Specially the example about mounting /etc/groups helped me to understand better the message about the possible risks of granting access to un-trusted users to docker.sock.
Thanks for your time!