The Docker daemon requires access to the Docker socket which is, by default, owned by the user
root and the group
Docker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the
/ directory on your host to the container. The container is able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the
docker group and subsequently start a container which maps the root
/ directory on the host.
Run the following command on the Docker host to see the members of the
docker group, and ensure that only trusted users are members:
getent group docker
You should remove any untrusted users from the
docker group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.
Provided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.
Version 6.5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.