Skip to content
Permalink
Browse files

docker: fix socket permissions

Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)

This commit makes socket group-writable and owned by docker group.

Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket

(cherry picked from commit fa4fe71)
  • Loading branch information...
rasendubi authored and grahamc committed Mar 27, 2017
1 parent 6024dd4 commit 6c59d851e2967410cc8fb6ba3f374b1d3efa988e
Showing with 11 additions and 1 deletion.
  1. +11 −1 nixos/modules/virtualisation/docker.nix
@@ -126,7 +126,17 @@ in

path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
};
systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions;

systemd.sockets.docker = {
description = "Docker Socket for the API";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.listenOptions;
SocketMode = "0660";
SocketUser = "root";
SocketGroup = "docker";
};
};
}
]);

0 comments on commit 6c59d85

Please sign in to comment.
You can’t perform that action at this time.