Docker daemon Attack Surface or error: “Got permission denied while trying to connect to the Docker daemon socket…”
From security perspective it is very important to be aware that running containers and applications with Docker implies running the Docker daemon. It is very important to be aware of this. The rootless mode is still experimental.
In new versions by default it uses UNIX socket which is owned by the “root” and other users can only access it using “sudo”, the Docker daemon binds to a that socket instead of a TCP port, it also always runs as the “root” user.
If you want to run “docker” with “sudo” then create a group called “docker” and add users to it, when docker daemon starts it creates a socket accessible by members of the “docker” group.
“docker” group grants privileges equivalent to the “root” user.
It is highly recommended that only trusted users should be allowed to control your Docker daemon. This is a consequence of some of the powerful Docker features. Specifically Docker lets you share a directory between the Docker host and a guest container without limiting the access rights of the container. Which means, you can start a container where the /host directory is the / directory on your host. Then, container can alter your host filesystem without any restriction. This is similar to how hypervisor systems allow filesystem resource sharing.
This can have a huge security implication, for example if your instrument Docker from a web server to provision containers through an API, you should be even more careful than usual with parameter checking, to make sure that a malicious user cannot pass crafted parameters causing Docker to create arbitrary containers. Docker has changed certain the CLI communication to UNIX socket instead of TCP socket bound on 127.0.0.1 this could have led to a privilege escalation.
It is mandatory to secure API endpoints with HTTPS and certificates, it is also recommended to allow your local trusted network or VPN specifically.
I will write further about Linux kernel capabilities on a separate article.
