This repository was archived by the owner on Oct 13, 2023. It is now read-only.
[18.09] backport loosen permissions on /etc/docker directory#56
Merged
andrewhsu merged 1 commit intodocker-archive:18.09from Sep 28, 2018
Conversation
The `/etc/docker` directory is used both by the dockerd daemon and the docker cli (if installed on the saem host as the daemon). In situations where the `/etc/docker` directory does not exist, and an initial `key.json` (legacy trust key) is generated (at the default location), the `/etc/docker/` directory was created with 0700 permissions, making the directory only accessible by `root`. Given that the `0600` permissions on the key itself already protect it from being used by other users, the permissions of `/etc/docker` can be less restrictive. This patch changes the permissions for the directory to `0755`, so that the CLI (if executed as non-root) can also access this directory. > **NOTE**: "strictly", this patch is only needed for situations where no _custom_ > location for the trustkey is specified (not overridden with `--deprecated-key-path`), > but setting the permissions only for the "default" case would make > this more complicated. ```bash make binary shell make install ls -la /etc/ | grep docker dockerd ^C ls -la /etc/ | grep docker drwxr-xr-x 2 root root 4096 Sep 14 12:11 docker ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl> (cherry picked from commit cecd981) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Member
Author
andrewhsu
approved these changes
Sep 28, 2018
andrewhsu
left a comment
andrewhsu
left a comment
There was a problem hiding this comment.
LGTM
spoke with @justincormack and this seems like a palatable change
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
backport of moby#37847 for 18.09
cherry-pick was clean; no conflicts
related: moby#37840, docker/cli#1358, moby#37619
The
/etc/dockerdirectory is used both by the dockerd daemonand the docker cli (if installed on the saem host as the daemon).
In situations where the
/etc/dockerdirectory does not exist,and an initial
key.json(legacy trust key) is generated (at thedefault location), the
/etc/docker/directory was created with0700 permissions, making the directory only accessible by
root.Given that the
0600permissions on the key itself already protectit from being used by other users, the permissions of
/etc/dockercan be less restrictive.
This patch changes the permissions for the directory to
0755, sothat the CLI (if executed as non-root) can also access this directory.
Signed-off-by: Sebastiaan van Stijn github@gone.nl
(cherry picked from commit cecd981)
Signed-off-by: Sebastiaan van Stijn github@gone.nl
- What I did
- How I did it
- How to verify it
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)