Add option to control group ownership of containerd socket file

[slonopotamus]

What is the problem you're trying to solve

Currently, /var/run/containerd/containerd.sock is created with root/root ownership and 660 permissions.

It some environments, it is desirable to allow other users except root to talk to containerd.

dockerd has the following option to achieve this:

-G, --group string                            Group for the unix socket (default "docker")

buildkitd has a similar option:

--group value                               group name(s), comma-separated, which will have RW access to the named pipe listening addresses

Describe the solution you'd like

Add similar option to containerd.

Additional context

Implementation should support specifying group both on Linux and Windows. Possibly the easiest way is to Ctrl+C/Ctrl+V code from BuildKit.

P.S. I do understand that such option allows those users to gain root access. The point is that members of the group are trusted and already have sudo access, so it just makes their lives more convenient.

This issue is somewhat related to #6087, but I believe it is not a duplicate because my approach is more straightforward and doesn't rely on third-party tools to pre-create socket file (is it possible at all on Windows?)

[TBBle]

@slonopotamus I see you have a commit to address this over in the darwin-containers fork, have you looked at putting it up for PR here? It looks like a simple and easy win to me, with no default behaviour change.

[slonopotamus]

It's not finished (needs more code for Windows support).

[samuelkarp]

Access to the containerd socket is equivalent to root. We do not generally encourage expanding access to the socket beyond UID 0/GID 0. Unprivileged users who need access to the containerd socket can gain access using sudo (subject to the sudoers policy). Unprivileged processes may need to use an intermediary that filters access; see containerd/.project#131 for a similar use-case.

[slonopotamus]

Access to the containerd socket is equivalent to root

Yeah, as I mentioned initially in this issue, we open a local privilege escalation path. However, as I also mentioned, I believe there are cases where this is desired and both Moby and BuildKit provide a way to adjust socket permissions.

[rabindra-harlalka]

@samuelkarp , @AkihiroSuda ,
Hello, I am also looking for this feature. On Windows, I am looking for running the client (e.g., nerdctl) as a regular user to build images or to run other containers. This is useful when running the client in non-interactive mode (e.g., as part of a script), or to avoid constant UAC prompts in a strict environment when running interactively. Since containerd/nerdctl doesn't support rootless mode on Windows, this capability is especially useful for Windows.
I am unable to understand why this is insecure. If the containerd toml file is writable by admin only, and the admin grants access to a certain group they trust (by using a grpc config flag like security_descriptor or user/group like #11786 does), then I don't see a risk arising from these trusted users. If the risk is local privilege escalation due to a malicious attacker, then that attacker would first need write access to the containerd toml file to add their id in the config.
Are there objections to a PR that adds a config like security_descriptor for Windows? Is there anything else that you would like included to mitigate any risk?

[slonopotamus]

That's exactly my usecase why I want this feature.