What is the Docker security risk of /var/run/docker.sock?

Question

In this blog article, I found the quote below in a comment:

Ben Firshman

Yes – you\'re right I should have pointed out the security issue

Answer 1

for the rest of us, could someone explain in clear terminology exactly what this "security issue" is?

The owner of the docker /var/run/docker.sock is root of the host where the container is running, with default group membership to docker group. That's why mounting var/run/docker.sock inside another container gives you root privileges since now you can do anything that a root user with group membership of docker can.

Does this effectively prohibit this approach from Production usage? If so, is there a workaround?

For a workaround may be these posts will help: https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ and https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/

Taking a step back, it would be useful to understand the usecase where you need to mount var/run/docker.sock and see if there are alternative ways to satisfying the usecase. Unfortunately, without a usecase description in the question, it is difficult to provide an alternative which avoids mounting the unix socket.

Good luck and kudos for trying to do the right thing!