Loosen permissions on /etc/docker directory

[thaJeztah]

fixes #37840
fixes docker/cli#1358
closes #37619

The /etc/docker directory is used both by the dockerd daemon and the docker cli (if installed on the same host as the daemon).

In situations where the /etc/docker directory does not exist, and an initial key.json (legacy trust key) is generated (at the default location), the /etc/docker/ directory was created with 0700 permissions, making the directory only accessible by root.

Given that the 0600 permissions on the key itself already protect it from being used by other users, the permissions of /etc/docker can be less restrictive.

This patch changes the permissions for the directory to 0755, so that the CLI (if executed as non-root) can also access this directory.

NOTE: "strictly", this patch is only needed for situations where no custom
location for the trustkey is specified (not overridden with --deprecated-key-path),
but setting the permissions only for the "default" case would make
this more complicated.

To verify this patch;

make binary shell

# inside the container;
make install

# verify the directory doesn't exist
ls -la /etc/ | grep docker

# start, and terminate the `dockerd` daemon
dockerd
^C

# check that the directory was created with the correct permissions
ls -la /etc/ | grep docker
drwxr-xr-x 2 root root    4096 Sep 14 12:11 docker

[thaJeztah]

ping @ijc @clnperez @dmcgowan PTAL

[ijc]

Thanks, I don't think this strictly deals with docker/cli#1358 since the CLI should probably be robust to permissions failures anyway.

Is the case in daemon/cluster/cluster.go:New which I found not relevant to fix as well, or did I misinterpret what config.Root was at this point (I had concluded it was /etc/docker).

[thaJeztah]

Yeah, it's a bit confusing; config.Root is --data-root on the daemon (default /var/lib/docker). The key.json is stored inside the daemon "config dir":

moby/cmd/dockerd/daemon.go

Lines 400 to 404 in 9d276b8

	if conf.TrustKeyPath == "" {
	conf.TrustKeyPath = filepath.Join(
	getDaemonConfDir(conf.Root),
	defaultTrustKeyFile)
	}

which on Windows is a subdirectory of data-root;

moby/cmd/dockerd/daemon_windows.go

Lines 22 to 24 in 9d276b8

	func getDaemonConfDir(root string) string {
	return filepath.Join(root, `\config`)
	}

Whereas on Linux, this is hard-coded to /etc/docker (for the default);

moby/cmd/dockerd/daemon_unix.go

Lines 36 to 38 in 9d276b8

	func getDaemonConfDir(_ string) string {
	return "/etc/docker"
	}

[ijc]

Got it, thanks! LGTM

[codecov]

Codecov Report

❗ No coverage uploaded for pull request base (master@3735ea7). Click here to learn what that means.
The diff coverage is 100%.

@@            Coverage Diff            @@
##             master   #37847   +/-   ##
=========================================
  Coverage          ?   36.13%           
=========================================
  Files             ?      610           
  Lines             ?    45069           
  Branches          ?        0           
=========================================
  Hits              ?    16287           
  Misses            ?    26542           
  Partials          ?     2240

[AkihiroSuda]

LGTM

@justincormack PTAL?

[vdemeester]

LGTM 🐯