✦ For everyone, free.

Practical knowledge for real and everyday life

Home

11.3.1.1 Socket Root Access

A focused guide to Socket Root Access, connecting core concepts with practical Docker and container operations.

Socket root access refers to the fact that the Docker daemon (and therefore anyone with access to its socket) typically operates with root privilege on the host, meaning granting socket access to a container effectively grants that container's process root-equivalent control over the host, not merely elevated container-level privilege.

Why the Daemon's Root Privilege Transfers Through the Socket

Commands issued through the Docker socket are executed by the daemon, which runs as root — a container with socket access isn't merely gaining some intermediate level of elevated privilege, but effectively gaining the same root-level control the daemon itself has.

docker run -v /var/run/docker.sock:/var/run/docker.sock alpine sh -c "docker run --privileged -v /:/host alpine chroot /host id"

uid=0(root) gid=0(root)

This demonstrates the container achieving genuine, full root access to the host, made possible entirely through the daemon's own root-level execution being reachable via the mounted socket.

Why This Differs From Even a Misconfigured, Privileged Container

Even a privileged container's elevated access is generally still scoped, in some sense, to that one container's own context — Docker socket access instead provides a path to instructing the daemon to do essentially anything, including creating an entirely new, even more broadly configured container.

docker run -v /var/run/docker.sock:/var/run/docker.sock alpine docker run --privileged myapp:1.0
Why No Amount of In-Container Restriction Mitigates This

Restricting the container's own user, capabilities, or filesystem access provides no protection against this risk, since the actual privileged action happens through the daemon (responding to socket commands), not through anything the restricted container process itself directly executes.

docker run --user 1000:1000 --read-only -v /var/run/docker.sock:/var/run/docker.sock myapp:1.0

Despite these restrictions, the mounted socket alone is sufficient to achieve full root-level host access through the daemon.

Why Socket Root Access Matters

Understanding that Docker socket access specifically transfers the daemon's own root-level privilege, rather than some intermediate level of access, clarifies why this particular exposure is uniquely severe among container security risks, and why it cannot be meaningfully mitigated by any other in-container restriction.

Related content