Hi @maxmeyer, thank you for filling this issue.
I think you can solve your problem by setting the DOCKER_CONFIG environment variable:

$ export DOCKER_CONFIG=~/.docker

$ sudo docker build...

@silvin-lubecki Thanks a lot. I found the issue, it was my fault. docker was an alias in my setup (sudo /usr/bin/docker). Sorry!

There still seems to be a problem, I updated the issue description accordingly.

BTW: For other readers trying to use the workaround, don't forget to update your /etc/sudoers: Add Defaults env_keep += "DOCKER_CONFIG"; otherwise sudo will strip the DOCKER_CONFIG-variable from env.

I'm not quite sure what your expectation is regarding functionality. The core usage of sudo is "su do", essentially letting you run something as super user (root). Since you're running as root by design user path expansions (~/) will resolve to the root directory. sudo also root context switches before running the docker command so all docker will see is "I'm running as root" and not "I'm being run through sudo invoked by user X". The environment variable solution is perfectly valid given the context of how you're running docker.

As a side note this is a bit concerning from a principle of least privilege security perspective. In most cases running docker builds as a non-root user is sufficient enough. The example docker file you've provided doesn't appear to require anything for root privileges. If there is something which requires root permissions access you'd be better off considering user/group permission adjustments to make it available to the process (after researching whether or not users outside of root should be accessing it).

This is not a bug / issue with the docker cli, but the way things work when using sudo;

$ sh -c 'cd ~ && pwd'
/Users/sebastiaan

$ sudo sh -c 'cd ~ && pwd'
/Users/sebastiaan

$ sudo -H -i sh -c 'cd ~ && pwd'
/var/root

As a side note this is a bit concerning from a principle of least privilege security perspective. In most cases running docker builds as a non-root user is sufficient enough. The example docker file you've provided doesn't appear to require anything for root privileges. If there is something which requires root permissions access you'd be better off considering user/group permission adjustments to make it available to the process (after researching whether or not users outside of root should be accessing it).

@cwgem note that Docker uses a client-server architecture; the daemon (server) runs as root, and containers are running as root by default.

Using sudo <some docker command> will only run the Docker _CLI_ as root, but won't change anything about the _container_ that is started; using sudo (or adding the current user to the docker group) may be needed becase (by default), when running a local daemon, the Docker CLI connects to the daemon over a unix socket (/var/run/docker.sock), and permissions on that socket restrict a non-privileged user from connecting.

To run a _container_ as non-root;

• use the USER Dockerfile instruction when building the Docker image that you start the container from
• use the --user=<user>[:<group>] option when starting the container

As described above, this is not a bug, so I'll close this issue, but feel free to continue the conversation

@thaJeztah My concerns on least privilege were more around the docker build process in its entirety requiring root privileges. For example a maliciously crafted Dockerfile could copy root restricted files to the container with some code to upload it to a malicious server. Even with the docker service maintaining root privileges for various operations such as cgroup applications it still exposes it to the client through an API. Granted that being a service means that there is always the possibility of malicious content injection to API calls spawning a privilege escalation (though there are probably easier routes a malicious attacker with local access could take).

Running containers themselves can utilize cgroups for *NIX based hosts (iirc you can do VM isolation through a certain Hyper-V integration in Windows) so even running containers as root still enables some level of privilege isolation. Granted vulnerabilities in the underlying cgroup system could break that isolation.

For example a maliciously crafted Dockerfile could copy root restricted files to the container with some code to upload it to a malicious server.

When performing a docker build, you explicitly pass the _build context_ to the daemon; for example, the last . in the build command below indicates the path to the build context (in this case, the current directory);

docker build -t foobar .

What happens after that, is that the Docker CLI tar/gz's the specified path (current directory), and uploads that to the daemon.

The daemon will extract those files, and _only_ those files can be used in the Dockerfile, nothing outside of the files that were passed to the daemon as build-context.

This means that a malicious Dockerfile can only be harmful if the user got tricked into building the Dockerfile using a context that contains sensitive data ("put this Dockerfile in your home-directory, and run docker build .")