I really don't know - I just observed that behaviour when I went to deploy the fix to my own systems. It does seem like a bug, but I'm not familiar enough with nixos's systemd integration to explain it.
On Wed, Apr 5, 2017 at 1:27 PM, Daniel Peebles <pumpkin...@gmail.com> wrote: > Benley: any idea why that is? It seems kind of unusual for nixos-rebuild > switch to not change things like that... > > On Tue, Apr 4, 2017 at 6:28 PM, ben...@gmail.com <ben...@gmail.com> wrote: > >> Worth noting: Running `nixos-rebuild switch` is insufficient to make >> this fix take effect. You may need to run `systemctl restart >> docker.socket` or reboot before the permissions on /run/docker.sock >> will be corrected. >> >> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen <gra...@grahamc.com> >> wrote: >> > -----BEGIN PGP SIGNED MESSAGE----- >> > Hash: SHA256 >> > >> > >> > Date: 2017-04-03 >> > CVE-ID: CVE-2017-7412 >> > Service: docker >> > Type: local privilege escalation >> > >> > >> > Summary >> > ======= >> > >> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which >> > allows local users to gain privileges by executing docker commands. >> > >> > NixOS 16.09 is not vulnerable. >> > >> > Resolution >> > ========== >> > >> > # nix-channel --update >> > >> > and ensure your NixOS channel is advanced to 17.03.887 or greater. >> > >> > Workaround >> > ========== >> > >> > Manually apply socket permission restrictions to the Docker socket. In >> > your configuration.nix: >> > >> > systemd.sockets.docker = { >> > socketConfig.SocketMode = "0660"; >> > socketConfig.SocketUser = "root"; >> > socketConfig.SocketGroup = "docker"; >> > }; >> > >> > Thank You >> > ========= >> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting >> > the vulnerablity and submitting a patch. >> > >> > References >> > ========== >> > >> > Fix applied to 17.03: >> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8f >> b6ba3f374b1d3efa988e >> > >> > Fix applied to unstable: >> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983 >> fa81f2b04a833339236d >> > >> > 16.09 and older are not affected. >> > >> > -----BEGIN PGP SIGNATURE----- >> > >> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p >> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon >> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf >> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 >> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf >> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt >> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz >> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV >> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA >> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 >> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr >> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= >> > =JnIC >> > -----END PGP SIGNATURE----- >> > _______________________________________________ >> > nix-dev mailing list >> > nix-dev@lists.science.uu.nl >> > http://lists.science.uu.nl/mailman/listinfo/nix-dev >> _______________________________________________ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > >
_______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev