On the docker-dev list someone asked about Fedora documentation that described how you add a user to the
docker group. The user wanted to allow his users to do a
docker search to try to find images that they could use.
From the Docker installation documentation regarding Fedora:
Granting rights to users to use Docker
Fedora 19 and 20 shipped with Docker 0.11. The package has already been updated to 1.0 in Fedora 20. If you are still using the 0.11 version, you will need to grant rights to users of Docker.
dockercommand line tool contacts the
dockerdaemon process via a socket file
/var/run/docker.sockowned by group
docker. One must be a member of that group in order to contact the
Luckily this documentation is somewhat wrong, and you still need to add users to the
docker group in order for them to use
docker from a non-root account. I would hope that all distributions have this policy.
On Fedora and RHEL we have the following permissions on the
# ls -l /run/docker.sock
srw-rw----. 1 root docker 0 Sep 19 12:54
This means that only the root user or the users in the
docker group can talk to this socket. Also since
docker runs as
docker_t, SELinux prevents all confined domains from connecting to this
No Authorization controls from docker
Docker currently does not have any authorization controls. If you can talk to the
docker socket or if
docker is listening on a network port and you can talk to it, you are allowed to execute all
For example, if I add "dwalsh" to the
docker group on my machine, I can execute.
> docker run -ti --rm --privileged --net=host -v /:/host fedora /bin/sh
# chroot /host
At which point you, or any user that has these permissions, has total control on your system.
Adding a user to the docker group should be considered the same as adding:
USERNAME ALL=(ALL) NOPASSWD: ALL
to the /etc/sudoers file. Any application the user runs on his machine can become root, even without him knowing. I believe a better more secure solution would be to write scripts to allow the user the access you want to allow.
docker search $@
Then set up sudo with:
USERNAME ALL=(ALL) NOPASSWD: /usr/bin/dockersearch
I hope to eventually add some kind of authorization database to
docker to allow admins to configure which commands you would allow a user to execute, and which containers you might allow them to start/stop.
First eliminating the ability to execute
docker run --privileged or
docker run --cap-remove would be a step in the right direction. But, if you have read my other posts, you know that a lot more needs to be done to make containers contain.
Originally posted on www.projectatomic.io as "Granting Rights to Users to Use Docker in Fedora." Reposted under Creative Commons.
Comments are closed.