Configure permissions for Docker configuration file

DOCKER/DaemonConfigOwnership

The recommended way to configure a Docker daemon is through the daemon.json file, located at /etc/docker/ by default. This file allows you to conveniently configure the Docker daemon without passing extra flags to the command line, it’s platform-independent and can be managed with infrastructure as code to ensure the configuration is persisted in a version control system.

Why you should care about /etc/docker/daemon.json permissions

Through this file, you can tweak many options of the Docker daemon. Docker run as root and it can manage many aspects of a Linux system: from network configuration to devices, it can spawn processes that runs arbitrary code, through containers downloaded from the internet.

In a regular setup, dockerd is managed by systemd and run as the root user. Therefore, not only there is no reason to let any user other than root edit this configuration file, it’s dangerous to allow it.

If other users have permission to edit this file, a compromised service and/or user could edit this file to make the server download and run malicious containers.

Avoid risks making sure only the required user has write permissions.

How to configure /etc/docker/daemon.json permissions

Run chown to change the file ownership:

sudo chown root:root /etc/docker/daemon.json

And change the file permissions with chmod:

sudo chmod 644 /etc/docker/daemon.json

To make sure the permissions are right run:

stat -c %U:%G:%A /etc/docker/daemon.json

The desired output follows:

root:root:-rw-r--r--

The file is owned by the root user and root group. This file can be read by the owner, written by the owner and, read by others.