I am working on Docker and before i execute any command on Docker CLI , I need to switch to root used using the command
sudo su - root
Can anyone please tell me why we need to switch to root user to perform any operation on Docker Engine?
Asked
Active
Viewed 2,382 times
-1
-
1Because security? – Mike Doe Apr 16 '20 at 05:24
-
@emix is it the only reason for switching the user to root user? – Harry S Apr 16 '20 at 05:29
-
Is there any else ever? – Mike Doe Apr 16 '20 at 05:48
-
@emix we got the answer down ... Thanks u too :) – Harry S Apr 16 '20 at 06:13
2 Answers
2
you don't need to switch to root for docker cli commands and it is common to add your user to the docker group
sudo groupadd docker
sudo usermod -aG docker $USER
see: https://docs.docker.com/engine/install/linux-postinstall/#manage-docker-as-a-non-root-user
the reason why docker is run as root:
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
invad0r
- 908
- 1
- 7
- 20
-
means if i create any user and add it to Docker group, Shall i be able to execute all Docker commands same the root user can execute? – Harry S Apr 16 '20 at 05:33
-
@invad0r the question is `why` permission escalation is needed. You answer provides the way to get past it but does not really answer the actual question asked – akazuko Apr 16 '20 at 05:51
-
2One has to be aware of the implications of putting himself into the `docker` group though. If you run a malicious container with filesystem access you can compromise your system. Keep that in mind. It's better to simply use docker commands using sudo. – Mike Doe Apr 16 '20 at 08:17
-
@invad0r From the docker documentation i understood the communication happens over socket which is usually the combination of IP and Port, what port it uses basically? – Harry S Apr 16 '20 at 13:28
0
Using docker commands, you can trivially get root-level access to any part of the host filesystem. The very most basic example is
docker run --rm -v /:/host busybox cat /host/etc/shadow
which will get you a file of encrypted passwords that you can crack offline at your leisure; but if I wanted to actually take over the machine I'd just write my own line into /host/etc/passwd and /host/etc/shadow creating an alternate uid-0 user with no password and go to town.
Docker doesn't really have any way to limit what docker commands you can run or what files or volumes you can mount. So if you can run any docker command at all, you have unrestricted root access to the host. Putting it behind sudo is appropriate.
The other important corollary to this is that using the dockerd -H option to make the Docker socket network-accessible is asking for your system to get remotely rooted. Google "Docker cryptojacking" for some more details and prominent real-life examples.
David Maze
- 130,717
- 29
- 175
- 215