Documentation

Setting Permissions for Docker Configuration Files

Setting Permissions for TLS CA Certificates

Set the owner and owner group of the TLS CA certificate file to root:root, and set the permission to 400.

The TLS CA certificate file (the path of the CA certificate file is specified by --tlscacert) is protected from being tampered with. The certificate file is used by the specified CA certificate to authenticate the Docker server. Therefore, the owner and owner group of the CA certificate must be root, and the permission must be 400 to ensure the integrity of the CA certificate.

You can perform the following operations to set the file properties:

  1. Run the following command to set the owner and owner group of the file to root:
    chown -h root:root <path to TLS CA certificate file>

    Generally, the path to TLS CA certificate file is /usr/local/share/ca-certificates.

  2. Set the file permission to 400.
    chmod 400 <path to TLS CA certificate file>

Docker Server Certificate Permission Configuration

The owner and owner group of the Docker server certificate file are root:root, and the permission is set to 400.

  1. Set the file permission to 400.
    chmod 400 <path to Docker server certificate file>

    Protect the Docker server certificate file (the path of the certificate file is specified by the --tlscert parameter) from being tampered with. The certificate file is used to authenticate the Docker server based on the specified server certificate. Therefore, the owner and owner group of the CA certificate must be root, and the permission must be 400 to ensure the integrity of the certificate.

  2. Run the following command to set the owner and owner group of the file to root:
    chown -h root:root <path to Docker server certificate file>

Docker Server Certificate Key Permission Configuration

The owner and owner group of the Docker server certificate key file are root:root, and the permission is set to 400.

  1. Set the file permission to 400.
    chmod 400 <path to Docker server certificate key file>

    Protect the Docker server certificate key file (the path of the certificate file is specified by the --tlskey parameter) from being tampered with. The certificate key file contains the private key of the Docker server certificate. Therefore, the owner and owner group of the CA certificate must be root, and the permission must be 400 to ensure the integrity of the Docker server certificate.

  2. Run the following command to set the owner and owner group of the file to root:
    chown -h root:root <path to Docker server certificate key file>

Setting Permissions for /etc/docker/daemon.json

The owner and owner group of the daemon.json file are set to root:root, and the file permission is set to 600.

The daemon.json file contains sensitive parameters for changing the Docker daemon. It is an important global configuration file. The owner and owner group of the file must be root, and only the root user has the write permission on the file to ensure file integrity. This file does not exist by default.

  • If the daemon.json file does not exist by default, the product does not use this file for configuration. In this case, you can run the following command to leave the configuration file empty in the boot parameters so that the file is not used as the default configuration file to prevent attackers from maliciously creating and modifying configurations.
    docker --config-file=""
  • If the daemon.json file exists in the product environment, the file has been used for configuration. In this case, you need to set the corresponding permission to prevent malicious modification.
    1. Run the following command to set the owner and owner group of the file to root:
      chown -h root:root /etc/docker/daemon.json
    2. Run the following command to set the file permission to 600:
      chmod 600 /etc/docker/daemon.json

Setting Permissions for Docker Directories and Files

  • Ensure that no user is added to the Docker user group.
  • Set the owner of /etc/default/docker to root:root and the file permission to 644 or higher.
  • Set the owner of /etc/sysconfig/docker to root:root and the file permission to 644 or higher.
  • Set the owner of docker.service to root:root and the file permission to 644.
  • Set the owner of docker.sock to root:docker and the file permission to 660.
  • Set the owner of /etc/docker to root:root and the permission to 755 or higher.
  • Set the owner of docker.socket to root:root and the file permission to 644 or higher.

If the file or directory does not exist, ignore this part.