-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Loosen permissions on /etc/docker directory #37847
Loosen permissions on /etc/docker directory #37847
Conversation
The `/etc/docker` directory is used both by the dockerd daemon and the docker cli (if installed on the saem host as the daemon). In situations where the `/etc/docker` directory does not exist, and an initial `key.json` (legacy trust key) is generated (at the default location), the `/etc/docker/` directory was created with 0700 permissions, making the directory only accessible by `root`. Given that the `0600` permissions on the key itself already protect it from being used by other users, the permissions of `/etc/docker` can be less restrictive. This patch changes the permissions for the directory to `0755`, so that the CLI (if executed as non-root) can also access this directory. > **NOTE**: "strictly", this patch is only needed for situations where no _custom_ > location for the trustkey is specified (not overridden with `--deprecated-key-path`), > but setting the permissions only for the "default" case would make > this more complicated. ```bash make binary shell make install ls -la /etc/ | grep docker dockerd ^C ls -la /etc/ | grep docker drwxr-xr-x 2 root root 4096 Sep 14 12:11 docker ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Thanks, I don't think this strictly deals with docker/cli#1358 since the CLI should probably be robust to permissions failures anyway. Is the case in |
Yeah, it's a bit confusing; Lines 400 to 404 in 9d276b8
which on Windows is a subdirectory of data-root; moby/cmd/dockerd/daemon_windows.go Lines 22 to 24 in 9d276b8
Whereas on Linux, this is hard-coded to moby/cmd/dockerd/daemon_unix.go Lines 36 to 38 in 9d276b8
|
Got it, thanks! LGTM |
Codecov Report
@@ Coverage Diff @@
## master #37847 +/- ##
=========================================
Coverage ? 36.13%
=========================================
Files ? 610
Lines ? 45069
Branches ? 0
=========================================
Hits ? 16287
Misses ? 26542
Partials ? 2240 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@justincormack PTAL?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🐯
fixes #37840
fixes docker/cli#1358
closes #37619
The
/etc/docker
directory is used both by the dockerd daemon and the docker cli (if installed on the same host as the daemon).In situations where the
/etc/docker
directory does not exist, and an initialkey.json
(legacy trust key) is generated (at the default location), the/etc/docker/
directory was created with 0700 permissions, making the directory only accessible byroot
.Given that the
0600
permissions on the key itself already protect it from being used by other users, the permissions of/etc/docker
can be less restrictive.This patch changes the permissions for the directory to
0755
, so that the CLI (if executed as non-root) can also access this directory.To verify this patch;