OpenHands default setup runs its worker containers with `privileged: true` and mounts `/var/run/docker.sock` from the host. This is a full breakout risk.
If you're trying to lock it down, you'll hit permission errors. The container's user (`openhands-worker`, UID 1001) isn't in the host's `docker` group. Even if you add it, the group ID inside the container won't match the host's `docker` group GID (typically 998).
Quick fix is to run the worker as root (bad) or set the host docker.sock to world-readable (worse).
Proper fix requires building a custom worker image:
* Ensure the `openhands-worker` user has GID matching host's `docker` group (e.g., 998).
* Add the user to the `docker` group inside the image.
* Run as non-root `USER openhands-worker`.
* Mount socket read-only.
Example Dockerfile addition:
```dockerfile
RUN groupadd -g 998 docker &&
usermod -aG docker openhands-worker
USER openhands-worker
```
Then update your compose to mount socket read-only and drop `privileged: true`.
```yaml
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
securityContext:
privileged: false
```
Their default posture is wide open. You have to rebuild to secure it.
/root
USER nobody