I changed my docker installation to rootless. I now installed Patchmon on the host and I wanted to monitor and update my Docker images as well. But Patchmon requires docker.sock to be in /var/run. My current docker.sock is of course in /run/user/{userid}. Are there any security risks, and if so what are they, to making a symlink to have the docker.sock in /var/run as well? The /run/user/{userid}/docker.sock is owned by the user running Docker. The symlink is owned by root because of the privileges needed for /var/run.
I don’t have enough knowledge to be doing these kind of things, but I just like to tinker and I want to know how insecure this setup could be.
I’m not fully understanding here, are you saying that the symlink is root because root is required to access /var/run or that its root because its required by patchmon.
If its root because the rest of the /var/run is root, is it not on the table to just chown the /var/run/docker.sock symlink to be the userid? since I would assume that patchmon would be running as the docker user anyway since you are running in a rootless environment? I might be misunderstanding.
As long as your permissions to the symlink are in line with the permissions on the original sock, I wouldn’t expect there would be too much risk there. Of course a malicious vector /could/ see that a /var/run/docker.sock exists and try to manipulate it, but, since docker itself isn’t root which means that user executing the symlink isn’t root, I don’t think it would allow for escalation.
Does Patchmon not have a setting to look for the Docker socket in a different location?
I could be wrong but I don’t think there’s any security issues making a symlink to a socket, since permissions/ACLs on the socket would still apply.
No unfortunately they haven’t implemented the option to point to a different docker.sock.
