Configure permissions for Docker configuration file
The recommended way to configure a Docker daemon is through the
file, located at
/etc/docker/ by default. This file allows you to
conveniently configure the Docker daemon without passing extra flags to the
command line, it’s platform-independent and can be managed with infrastructure
as code to ensure the configuration is persisted in a version control system.
Through this file, you can tweak many options of the Docker daemon. Docker run as root and it can manage many aspects of a Linux system: from network configuration to devices, it can spawn processes that runs arbitrary code, through containers downloaded from the internet.
In a regular setup,
dockerd is managed by systemd and run as the root user.
Therefore, not only there is no reason to let any user other than root edit
this configuration file, it’s dangerous to allow it.
If other users have permission to edit this file, a compromised service and/or user could edit this file to make the server download and run malicious containers.
Avoid risks making sure only the required user has write permissions.
chown to change the file ownership:
sudo chown root:root /etc/docker/daemon.json
And change the file permissions with
sudo chmod 644 /etc/docker/daemon.json
To make sure the permissions are right run:
stat -c %U:%G:%A /etc/docker/daemon.json
The desired output follows:
The file is owned by the root user and root group. This file can be read by the owner, written by the owner and, read by others.