6

Everytime after logging in I am getting permission denied while trying to connect to the Docker daemon socket so I need to execute sudo chmod 777 /var/run/docker.sock to solve it. I am curious why and how permissions of this file are changed everytime. Also I want to forbid such changes so I don't need to execute chmod. Is there a way to do it? Please do not suggest such things like running rootless docker or anything about docker group (I have already seen this question: How can I use docker without sudo? before asking mine), I am interesting only in dealing with permissions.

sanyassh
  • 157

3 Answers3

8

Why /var/run/docker.sock permissions are changed every time I log out? How can I forbid it?

Because the people from docker take security serious. And so should you. You really need to understand that this opens up your docker instance to everyone. For a thorough explanation this is a must read. chmod 777 is never the correct solution (well... unless the sticky bit is also set).

If you still want to do it with

sudo chmod 777 /var/run/docker.sock

you need to have this command executed each time you login. "startup applications" can be used to execute script at the time you login to the desktop. But please please do not. Use the group method below.

You can also set the immutable bit (chattr +i {file}) so normal users can not change the attributes but that is just a trick. Someone with access to the system can easily change that by rebooting with an live session; even a non admin user can do that.

Please do not suggest such things like running rootless docker or anything about docker group, I am interesting only in dealing with permissions.

Why? You forgot to explain why these are not acceptable. In theory you could have a valid reason (though I can not imagine one myself :) ).

See How can I use docker without sudo? on how to set this up or use the official documentation on how to setup docker with a group or rootless. Those ARE the 2 methods provided by docker.

Rinzwind
  • 299,756
  • I think I had to ask this question: "How to forbid changing permissions" without mentioning docker. I want some file to have 777 permissions. I also don't want anybody to change them. Is this possible? – sanyassh Dec 06 '19 at 09:38
  • Set the immutable bit (chattr +i {file}) but even that is just a trick. Someone with access to the system can easily change that by rebooting with an live session. – Rinzwind Dec 06 '19 at 10:34
  • looks like it is what I was looking for, thanks. It is the real answer to my question "how can i forbid changing permissions" so if you include the comment into the answer, I can accept it. – sanyassh Dec 06 '19 at 11:40
  • ... everyone who can run code or commands on your computer. – user253751 Dec 06 '19 at 16:57
  • Also, I don't really understand why does this always appear in questions/answers on askubuntu and such sites: Someone with access to the system. There is nobody with access to my system, it is a personal computer. So I really dont care about security, all this sudo things and etc. I just want to make my life easier. – sanyassh Dec 06 '19 at 18:22
  • @sanyash not everyone lives alone. Plus this also includes external access through ssh, ftp, bugs in browsers, using any type of server with online access, malware, spyware. etc. – Rinzwind Dec 06 '19 at 18:34
  • Your answer is not answering the question. – Ivailo Bardarov Oct 21 '21 at 17:45
3

Some folks on a DigitalOcean forum suggested a fix based on the official Docker documentation that should be more secure and permanent:

sudo groupadd docker
sudo usermod -aG docker $USER
newgrp docker
John
  • 181
1

You can change the group ownership permanently by editing /etc/systemd/system/sockets.target.wants/docker.socket.

Set the right group at line

SocketGroup=docker

Then run systemctl daemon-reload and reboot

Lionep
  • 1,295