Is adding docker group not a good idea?

Question

Question

Is creating a docker group could be a bad idea from security perspectives?

I saw stack exchange answers which tells to create docker group to avoid issues of needing root permission or sudo.

However I think the article Why we don't let non-root users run Docker in CentOS, Fedora, or RHEL makes sense too.

Docker has the ability to change the group ownership of the /run/docker.socket to have group permission of 660, with the group ownership the docker group. This would allow users added to the docker group to be able to run docker containers without having to execute sudo or su to become root.

Related

• Don't expose the Docker socket (not even to a container)
• Access Docker socket within container
• The Dangers of Docker.sock

Answer 1

The documentation (especially the Manage Docker as a non-root user part of Post-installation steps for Linux) is really clear on this:

Warning: The docker group grants privileges equivalent to the root user. For details on how this impacts security in your system, see Docker Daemon Attack Surface.

Creating the docker group by itself does not imply a security risk (which is what you have been asking). But adding a user to this group may increase your attack surface (which is what you probably wanted to ask). The actual security risk depends on your threat model.