# DOCKER-SEC-006: Docker Socket Mounted as Volume > **Severity:** CRITICAL | **CWE:** CWE-250 - **Language:** Docker - **Category:** Security - **URL:** https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-006 - **Detection:** `pathfinder scan --ruleset docker/DOCKER-SEC-006 --project .` ## Description This rule detects VOLUME instructions that mount the Docker socket into a container. Mounting the Docker socket (/var/run/docker.sock or /run/docker.sock) gives a container full control over the host's Docker daemon, which is equivalent to unrestricted root access on the host machine. ## Vulnerable Code ```python FROM docker:latest # CRITICAL: Exposes Docker socket as volume VOLUME ["/var/run/docker.sock"] # This container can now control the host Docker daemon CMD ["docker", "ps"] ``` ## Detection Rule (Python SDK) ```python from codepathfinder.container_decorators import dockerfile_rule from codepathfinder.container_matchers import instruction from codepathfinder.container_combinators import any_of @dockerfile_rule( id="DOCKER-SEC-006", name="Docker Socket Mounted as Volume", severity="CRITICAL", cwe="CWE-250", category="security", tags="docker,dockerfile,docker-socket,volume,security,privilege-escalation,container-escape,daemon,host-access,critical", message="Dockerfile mounts Docker socket. This gives the container full control over the host Docker daemon, equivalent to root access." ) def docker_socket_in_volume(): """ Detects VOLUME instructions that include Docker socket paths. Mounting the Docker socket inside a container gives it full control over the Docker daemon, allowing it to create privileged containers, access host filesystem, and effectively become root on the host. """ return any_of( instruction(type="VOLUME", contains="/var/run/docker.sock"), instruction(type="VOLUME", contains="/run/docker.sock"), instruction(type="VOLUME", contains="docker.sock") ) ``` ## How to Fix - Never mount the Docker socket into application containers - Use the Docker API over TLS with client certificates if remote access is needed - Consider rootless Docker or Podman to reduce socket exposure risk ## Security Implications - **Container Escape:** Create privileged containers that mount the host filesystem: ```bash docker run -v /:/host --privileged alpine chroot /host /bin/sh ``` This gives the attacker a root shell on the host. - **Privilege Escalation:** Start containers with any user ID, including UID 0 (root), and mount any host directory as a volume. - **Persistence:** Deploy malicious containers that persist across reboots by modifying host systemd services or cron jobs. - **Data Exfiltration:** Access all volumes, images, and containers on the host, including those containing sensitive data from other applications. - **Resource Hijacking:** Deploy cryptocurrency miners or consume all host resources to cause denial of service. - **Lateral Movement:** Access other containers' filesystems and networks, potentially compromising the entire infrastructure. Real-world attack chain: ```bash # Attacker gains shell in container with Docker socket mounted # Step 1: List all containers docker ps -a # Step 2: Create privileged container mounting host root docker run -it -v /:/host --privileged alpine /bin/sh # Step 3: Chroot into host filesystem chroot /host /bin/bash # Step 4: Now has root access to host - install backdoor echo "* * * * * root /tmp/backdoor.sh" >> /etc/crontab ``` ## FAQ **Q: Why is mounting docker.sock dangerous?** The Docker socket gives unrestricted access to the Docker daemon. A container with the socket mounted can create privileged containers, access host filesystems, and effectively gain root on the host. **Q: What if I need Docker-in-Docker for CI/CD?** Use Docker-in-Docker (dind) with TLS enabled, or use Kaniko/Buildah for building images without requiring Docker socket access. ## References - [CWE-250: Execution with Unnecessary Privileges](https://cwe.mitre.org/data/definitions/250.html) - [Docker Socket Security Advisory](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html) - [NIST SP 800-190: Application Container Security Guide](https://csrc.nist.gov/publications) - [CIS Docker Benchmark: Section 5.31](https://www.cisecurity.org/benchmark/docker) --- Source: https://codepathfinder.dev/registry/docker/security/DOCKER-SEC-006 Code Pathfinder — Open source, type-aware SAST with cross-file dataflow analysis