3.23 Ensure that the Containerd socket file ownership is set to root:root

Information

You should verify that the Containerd socket file is owned by root and group owned by root.

Rationale:

Containerd is an underlying component used by Docker to create and manage containers. It provides a socket file similar to the Docker socket, which must be protected from unauthorized access. If any other user or process owns this socket, it might be possible for that non-privileged user or process to interact with the Containerd daemon. Additionally, in this case a non-privileged user or process might be able to interact with containers which is neither a secure nor desired behavior.

Unlike the Docker socket, there is usually no requirement for non-privileged users to connect to the socket, so the ownership should be root:root.

Impact:

None.

Solution

You should execute the following command:

chown root:root /run/containerd/containerd.sock

This sets the ownership to root and group ownership to root for the default Containerd socket file.

Default Value:

By default, the ownership and group ownership for the Containerd socket file is correctly set to root:root.

See Also

https://workbench.cisecurity.org/benchmarks/11818