Source: docker.io Severity: important Control: tag -1 + patch Control: block 806261 by -1
Dear Maintainers, docker.io sets /etc/docker to be owned and only readable by root, despite defining a “docker” group. In particular, this is problematic for deamons such as docker-registry that do not run as root and need to access data under /etc/docker. I attached a patch that makes /etc/docker owned by 'root:docker' with mode 0710. The matching fix in docker-registry is to make the user docker-registry a member of the docker group (creating it if required), and apply those permissions to /etc/docker. Best, nicoo -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
>From bd4355bce6ccea582bf01226060ac1bc53d34cf9 Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <nico...@braud-santoni.eu> Date: Thu, 14 Jul 2016 16:42:48 +0200 Subject: [PATCH] Fix /etc/docker permissions --- debian/docker.io.postinst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/debian/docker.io.postinst b/debian/docker.io.postinst index 5fd8847..295a348 100644 --- a/debian/docker.io.postinst +++ b/debian/docker.io.postinst @@ -6,6 +6,14 @@ case "$1" in if [ -z "$2" ]; then addgroup --system docker fi + + # Ensure config directory permissions + # On a fresh install, $2 = '' and dpkg treat that as a + # lower version, so the permissions get fixed too. + if dpkg --compare-versions "$2" le '1.11.2~ds1-1'; then + chown 'root:docker' /etc/docker + chmod 0710 /etc/docker + fi ;; abort-*) # How'd we get here?? -- 2.8.1