Bug#831324: docker.io: /etc/docker is not readable by the docker group

[Nicolas Braud-Santoni]

On Thu, Jul 14, 2016 at 08:47:01AM -0700, Tianon Gravi wrote:
> > Would simply making the directory mode 0711 be acceptable, then?
> 
> Since we're already there for new installs ("drwxr-xr-x"), I think
> something to adjust upgrades would be prudent, but I'd love to see if
> we can find a way to detect specifically the permissions the Docker
> engine sets when it creates and only adjust _those_ (ie, not just "was
> this created by an old version of the package", but more strongly
> "does the current state match the undesirable state") so that users
> who've modified these permissions themselves can keep their
> modifications without us trampling them.  Does that make sense?

There was a minor case of email race-condition here, but I'm suggesting we
use 0755 indeed (cf the patch attached to my previous message to the BTS).


We can detect the case where the directory's octal permissions are 0700,
but this wouldn't handle all cases.  For instance, the administrator
could have used a POSIX ACL to grant access to docker-registry.

I would suggest anyway setting 0755 if the current permission is 0700
and the package is being upgraded from an old version, since:
- it is a sane permission;
- it should avoid trampling on user-set permissions in most cases.

Please find attached a patch that implements this.


Best,

  nicoo

From db11b7fe90ed0367cc6728202208a52bc19fb0c3 Mon Sep 17 00:00:00 2001
From: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
Date: Thu, 14 Jul 2016 16:42:48 +0200
Subject: [PATCH] Fix /etc/docker permissions

---
 debian/docker.io.postinst | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/debian/docker.io.postinst b/debian/docker.io.postinst
index 5fd8847..d2f1d53 100644
--- a/debian/docker.io.postinst
+++ b/debian/docker.io.postinst
@@ -6,6 +6,15 @@ case "$1" in
 		if [ -z "$2" ]; then
 			addgroup --system docker
 		fi
+
+		# Ensure config directory permissions
+		#  On a fresh install, $2 = '' and dpkg treat that as a
+		#  greater version, so the body is not executed.
+		if dpkg --compare-versions "$2" le-nl '1.11.2~ds1-1'; then
+		    if [ $(stat -c %a /etc/docker) = '700' ]; then
+			chmod 0755 /etc/docker
+		    fi
+		fi
 		;;
 	abort-*)
 		# How'd we get here??
-- 
2.8.1

signature.asc
Description: PGP signature