Rules for Setting Daemon File Permissions

Setting root:root (400) for the Registry Certificate File Ownership

The /etc/docker/certs.d/<registry-name> directory contains the Docker registry certificate. The owner and owner group of the Docker registry certificate files must be root and the permission must be 400 to ensure the certificate integrity.

Setting root:root (600) for the daemon.json File Ownership

The daemon.json file contains sensitive parameters for changing the Docker daemon. It is an important global configuration file. The owner and owner group of the file must be root, and only the root user has the write permission on the file to ensure file integrity. This file does not exist by default.

1

chmod 600 /etc/docker/daemon.json

If the /etc/docker/daemon.json file does not exist, create it.

Setting root:docker (660) for the docker.sock File Ownership

By default the Docker daemon generates a socket (/var/run/docker.sock) file for local process communication. The docker.sock file may contain sensitive parameters that may change the remote API behavior of Docker. Therefore, the owner and owner group of the file must be root:docker. Unless otherwise specified, the file permission must be set to 660 to ensure the file integrity.

Generally you need to perform the following operations:

1
2
3

cd /var/run
chown root:docker /var/run/docker.sock 
chmod 660 /var/run/docker.sock

Run the following command to check whether the previous modification is successful.

1

ls -l

If the owner and owner group of the docker.sock file are root:docker and the permission is 660, the modification is successful.