From dbf0e2d3c3273cec2b7d3832acfc320865b83019 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Sun, 3 Apr 2022 05:19:43 +0200 Subject: [PATCH] improvmeent --- content/posts/docker-hardening.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/posts/docker-hardening.md b/content/posts/docker-hardening.md index 17884b7..242fbb4 100644 --- a/content/posts/docker-hardening.md +++ b/content/posts/docker-hardening.md @@ -79,7 +79,7 @@ Good practices have been therefore established: - Keep the host kernel, Docker and the OCI runtime updated. - Consider the usage of user namespaces. -By the way, it goes without saying that any user (or container) who has access to the Docker daemon should be considered as privileged as root. It should only be owned by root, and if that doesn't work with your environment, use Docker rootless or Podman. +By the way, it goes without saying that any user who has access to the Docker daemon should be considered as privileged as root. Mounting the Docker socket (`/var/run/docker.sock`) in a container makes it highly privileged, and so it should be avoided. The socket should only be owned by root, and if that doesn't work with your environment, use Docker rootless or Podman. ### Avoiding root root can be avoided in different ways in the final container: