Setting Permissions for Docker Configuration Files
Setting Permissions for TLS CA Certificates
- Set the owner and owner group of the TLS CA certificate file to root:root, and set the permission to 400.
The TLS CA certificate file (the path of the CA certificate file is specified by --tlscacert) needs to be protected from being tampered with. The certificate file is used by the specified CA certificate to authenticate the Docker server. Therefore, the owner and owner group of the CA certificate must be root, and the permission must be 400 to ensure the integrity of the CA certificate.
You can perform the following operations to set the file properties:
- Run the following command to set the owner and owner group of the file to root:
chown root:root <path to TLS CA certificate file>
Generally, the path to TLS CA certificate file is /usr/local/share/ca-certificates.
- Set the file permission to 400.
chmod 400 <path to TLS CA certificate file>
- Run the following command to set the owner and owner group of the file to root:
Setting Permissions for /etc/docker/daemon.json
- The owner and owner group of the daemon.json file are set to root:root, and the file permission is set to 600.
The daemon.json file contains sensitive parameters for changing the Docker daemon. It is an important global configuration file. The owner and owner group of the file must be root, and only the root user has the write permission on the file to ensure file integrity. This file does not exist by default.
- If the daemon.json file does not exist by default, the product does not use this file for configuration. In this case, you can run the following command to leave the configuration file empty in the boot parameters so that the file is not used as the default configuration file to prevent attackers from maliciously creating and modifying configurations.
docker --config-file=""
- If the daemon.json file exists in the product environment, the file has been used for configuration. In this case, you need to set the corresponding permission to prevent malicious modification.
- Run the following command to set the owner and owner group of the file to root:
chown root:root /etc/docker/daemon.json
- Run the following command to set the file permission to 600:
chmod 600 /etc/docker/daemon.json
- Run the following command to set the owner and owner group of the file to root:
- If the daemon.json file does not exist by default, the product does not use this file for configuration. In this case, you can run the following command to leave the configuration file empty in the boot parameters so that the file is not used as the default configuration file to prevent attackers from maliciously creating and modifying configurations.
Setting Permissions for Docker Directories and Files
Directory |
File Owner |
File Permission |
|---|---|---|
/etc/default/docker |
root:root |
644 or higher |
/etc/sysconfig/docker |
root:root |
644 or higher |
docker.service |
root:root |
644 |
docker.sock |
root:docker |
660 |
/etc/docker |
root:root |
755 or higher |
docker.socket |
root:root |
644 or higher |
If the file or directory does not exist, ignore this part.