Worth noting: Running `nixos-rebuild switch` is insufficient to make this fix take effect. You may need to run `systemctl restart docker.socket` or reboot before the permissions on /run/docker.sock will be corrected.
On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen <gra...@grahamc.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > > Date: 2017-04-03 > CVE-ID: CVE-2017-7412 > Service: docker > Type: local privilege escalation > > > Summary > ======= > > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which > allows local users to gain privileges by executing docker commands. > > NixOS 16.09 is not vulnerable. > > Resolution > ========== > > # nix-channel --update > > and ensure your NixOS channel is advanced to 17.03.887 or greater. > > Workaround > ========== > > Manually apply socket permission restrictions to the Docker socket. In > your configuration.nix: > > systemd.sockets.docker = { > socketConfig.SocketMode = "0660"; > socketConfig.SocketUser = "root"; > socketConfig.SocketGroup = "docker"; > }; > > Thank You > ========= > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting > the vulnerablity and submitting a patch. > > References > ========== > > Fix applied to 17.03: > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e > > Fix applied to unstable: > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a833339236d > > 16.09 and older are not affected. > > -----BEGIN PGP SIGNATURE----- > > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= > =JnIC > -----END PGP SIGNATURE----- > _______________________________________________ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev _______________________________________________ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev