Ubuntu – /var/run/docker.sock permissions are changed every time I log out? How to forbid it

chmoddockerpermissions

Everytime after logging in I am getting permission denied while trying to connect to the Docker daemon socket so I need to execute sudo chmod 777 /var/run/docker.sock to solve it. I am curious why and how permissions of this file are changed everytime. Also I want to forbid such changes so I don't need to execute chmod. Is there a way to do it? Please do not suggest such things like running rootless docker or anything about docker group (I have already seen this question: How can I use docker without sudo? before asking mine), I am interesting only in dealing with permissions.

Best Answer

Why /var/run/docker.sock permissions are changed every time I log out? How can I forbid it?

Because the people from docker take security serious. And so should you. You really need to understand that this opens up your docker instance to everyone. For a thorough explanation this is a must read. chmod 777 is never the correct solution (well... unless the sticky bit is also set).

If you still want to do it with

sudo chmod 777 /var/run/docker.sock

you need to have this command executed each time you login. "startup applications" can be used to execute script at the time you login to the desktop. But please please do not. Use the group method below.

You can also set the immutable bit (chattr +i {file}) so normal users can not change the attributes but that is just a trick. Someone with access to the system can easily change that by rebooting with an live session; even a non admin user can do that.

Please do not suggest such things like running rootless docker or anything about docker group, I am interesting only in dealing with permissions.

Why? You forgot to explain why these are not acceptable. In theory you could have a valid reason (though I can not imagine one myself :) ).

See How can I use docker without sudo? on how to set this up or use the official documentation on how to setup docker with a group or rootless. Those ARE the 2 methods provided by docker.

Related Question