What are the advantages of putting a user into the `docker` group instead of granting her `sudo` access to the host?

Sylvain Leroux asked:

Is there any real advantage in putting a user into the docker group rather than granting her sudo access to the host?

For the long story, I’m writing a tutorial showing how members of the docker group can directly interact (ie, without using sudo) with the docker server through a Unix domain socket the dockerd server is listening on.

However, by granting an unprivileged user the power to create arbitrary containers, it seems that user gains effective root access to the host: for example, it becomes quite easy that way to modify the host fs through bind mounts. Or to interact with the kernel via procfs/sysfs. So what’s the point in putting someone into the docker group rather than giving that user root access to the system?

My answer:

Or the user could just load a nice convenient Docker container that throws them straight into a root shell.

Granting access to the docker socket does indeed virtually guarantee the ability to escalate privileges.

What matters here is declaring your intentions. You put someone in the docker group so that they can run containers without needing to run sudo for every command all the time. You put someone in sudoers when you want them to be able to sudo and run any command as root.

If you don’t want to give arbitrary people access to the Docker socket, you should almost certainly be using an orchestration system such as OpenShift or Kubernetes.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.