Sylvain Leroux asked:
Is there any real advantage in putting a user into the
docker group rather than granting her
sudo access to the host?
For the long story, I’m writing a tutorial showing how members of the
docker group can directly interact (ie, without using
sudo) with the docker server through a Unix domain socket the
dockerd server is listening on.
However, by granting an unprivileged user the power to create arbitrary containers, it seems that user gains effective root access to the host: for example, it becomes quite easy that way to modify the host fs through bind mounts. Or to interact with the kernel via
sysfs. So what’s the point in putting someone into the
docker group rather than giving that user root access to the system?
Or the user could just load a nice convenient Docker container that throws them straight into a root shell.
Granting access to the docker socket does indeed virtually guarantee the ability to escalate privileges.
What matters here is declaring your intentions. You put someone in the
docker group so that they can run containers without needing to run
sudo for every command all the time. You put someone in
sudoers when you want them to be able to
sudo and run any command as root.
If you don’t want to give arbitrary people access to the Docker socket, you should almost certainly be using an orchestration system such as OpenShift or Kubernetes.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.