• Uncategorized

About linux : Docker-why-do-I-need-to-sudo-in-Linux

Question Detail

I am working through this tutorial setting up Docker, and I’m finding that all of their examples are written like

docker run hello-world

but when I try it, it says permission denied on a socket and I have to do

sudo docker run hello-world

to run the examples. Why are root privileges necessary even for these simple examples?

Question Answer

Running a docker container requires the user to be a member of the docker group. By default, when you install docker, the only user that is added to it is root. You can add your own user to this group if you want to run docker containers from it.
Requiring sudo-level access to get access to Docker is a sound security restriction. Otherwise, anyone who can run any Docker commands at all, can run this one:
docker run -v /etc:/host-etc busybox \
sh -c ‘echo ALL ALL(ALL:ALL) NOPASSWD:ALL >> /host-etc/sudoers’

That is, anyone who can run Docker commands is all but root already.
Really this is controlled by the file permissions on /var/run/docker.sock. Having a docker group that owns that socket file and giving it mode 0660 is a common setup (particularly on Ubuntu). But, again, anyone who’s a member of the docker group can read and change arbitrary files on the host, and is root in all but name.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.