On Thu, Jul 14, 2016 at 08:03:52AM -0700, Tianon Gravi wrote: > This is actually really dangerous, and opens up the "docker-registry" > user to unconstrained root access on the host machine if both > docker-registry and docker.io are installed. :(
Ah, damn. > IIRC, the only "private" thing in /etc/docker is "key.json" -- does > Docker set appropriately private permissions on that file as well as > the directory? In a fresh sid VM, installing docker.io results in a /etc/docker/key.json that has mode 0700 and ownership root:root, so yes. If you are concerned about future behaviour changes, you can create an autopkgtest for this. > Also worth noting that with the latest uploads of the docker.io > package, "/etc/docker" is created by the deb (not relying on Docker > itself to create it anymore), so it gets the following bits if it > doesn't exist already: > > | drwxr-xr-x 2 root root 4.0K Jul 12 14:46 /etc/docker/ OK, so setting /etc/docker to be mode 0755 and make /etc/docker/docker-registry belong to the docker-registry user should be an acceptable fix? I included a patch that ensures this is the case, and uploaded an updated version of my fix for docker-registry. Best, nicoo
From 2f5bdde25ff5145521e749ae1f0199269dda8297 Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <nico...@braud-santoni.eu> Date: Thu, 14 Jul 2016 16:42:48 +0200 Subject: [PATCH] Fix /etc/docker permissions --- debian/docker.io.postinst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/debian/docker.io.postinst b/debian/docker.io.postinst index 5fd8847..d4c04ad 100644 --- a/debian/docker.io.postinst +++ b/debian/docker.io.postinst @@ -6,6 +6,13 @@ case "$1" in if [ -z "$2" ]; then addgroup --system docker fi + + # Ensure config directory permissions + # On a fresh install, $2 = '' and dpkg treat that as a + # lower version, so the permissions get fixed too. + if dpkg --compare-versions "$2" le '1.11.2~ds1-1'; then + chmod 0755 /etc/docker + fi ;; abort-*) # How'd we get here?? -- 2.8.1
signature.asc
Description: PGP signature
