Security of Docker as it runs as root user
When you run as root, you can access a broader range of kernel services. For instance, you can:
- manipulate network interfaces, routing tables, netfilter rules;
- create raw sockets (and generally speaking, "exotic" sockets, exercising code that has received less scrutiny than good old TCP and UDP);
- mount/unmount/remount filesystems;
- change file ownership, permissions, extended attributes, overriding regular permissions (i.e. using slightly different code paths);
- etc.
(It's interesting to note that all those examples are protected by capabilities.)
The key point is that as root, you can exercise more kernel code; if there is a vulnerability in that code, you can trigger it as root, but not as a regular user.
Additionally, if someone finds a way to break out of a container, if you break out as root, you can do much more damage than as a regular user, obviously.