Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation
On 04/05/2017 08:25 PM, ben...@gmail.com wrote: > I really don't know - I just observed that behaviour when I went to > deploy the fix to my own systems. It does seem like a bug, but I'm not > familiar enough with nixos's systemd integration to explain it. I suspect this line: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/activation/switch-to-configuration.pl#L206 --Vladimir ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation
I really don't know - I just observed that behaviour when I went to deploy the fix to my own systems. It does seem like a bug, but I'm not familiar enough with nixos's systemd integration to explain it. On Wed, Apr 5, 2017 at 1:27 PM, Daniel Peebles wrote: > Benley: any idea why that is? It seems kind of unusual for nixos-rebuild > switch to not change things like that... > > On Tue, Apr 4, 2017 at 6:28 PM, ben...@gmail.com wrote: > >> Worth noting: Running `nixos-rebuild switch` is insufficient to make >> this fix take effect. You may need to run `systemctl restart >> docker.socket` or reboot before the permissions on /run/docker.sock >> will be corrected. >> >> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen >> wrote: >> > -BEGIN PGP SIGNED MESSAGE- >> > Hash: SHA256 >> > >> > >> > Date:2017-04-03 >> > CVE-ID: CVE-2017-7412 >> > Service: docker >> > Type:local privilege escalation >> > >> > >> > Summary >> > === >> > >> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which >> > allows local users to gain privileges by executing docker commands. >> > >> > NixOS 16.09 is not vulnerable. >> > >> > Resolution >> > == >> > >> > # nix-channel --update >> > >> > and ensure your NixOS channel is advanced to 17.03.887 or greater. >> > >> > Workaround >> > == >> > >> > Manually apply socket permission restrictions to the Docker socket. In >> > your configuration.nix: >> > >> > systemd.sockets.docker = { >> > socketConfig.SocketMode = "0660"; >> > socketConfig.SocketUser = "root"; >> > socketConfig.SocketGroup = "docker"; >> > }; >> > >> > Thank You >> > = >> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting >> > the vulnerablity and submitting a patch. >> > >> > References >> > == >> > >> > Fix applied to 17.03: >> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8f >> b6ba3f374b1d3efa988e >> > >> > Fix applied to unstable: >> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983 >> fa81f2b04a89236d >> > >> > 16.09 and older are not affected. >> > >> > -BEGIN PGP SIGNATURE- >> > >> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p >> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon >> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf >> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 >> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf >> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt >> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz >> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV >> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA >> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 >> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr >> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= >> > =JnIC >> > -END PGP SIGNATURE- >> > ___ >> > nix-dev mailing list >> > nix-dev@lists.science.uu.nl >> > http://lists.science.uu.nl/mailman/listinfo/nix-dev >> ___ >> nix-dev mailing list >> nix-dev@lists.science.uu.nl >> http://lists.science.uu.nl/mailman/listinfo/nix-dev >> > > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation
Benley: any idea why that is? It seems kind of unusual for nixos-rebuild switch to not change things like that... On Tue, Apr 4, 2017 at 6:28 PM, ben...@gmail.com wrote: > Worth noting: Running `nixos-rebuild switch` is insufficient to make > this fix take effect. You may need to run `systemctl restart > docker.socket` or reboot before the permissions on /run/docker.sock > will be corrected. > > On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > > > Date:2017-04-03 > > CVE-ID: CVE-2017-7412 > > Service: docker > > Type:local privilege escalation > > > > > > Summary > > === > > > > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which > > allows local users to gain privileges by executing docker commands. > > > > NixOS 16.09 is not vulnerable. > > > > Resolution > > == > > > > # nix-channel --update > > > > and ensure your NixOS channel is advanced to 17.03.887 or greater. > > > > Workaround > > == > > > > Manually apply socket permission restrictions to the Docker socket. In > > your configuration.nix: > > > > systemd.sockets.docker = { > > socketConfig.SocketMode = "0660"; > > socketConfig.SocketUser = "root"; > > socketConfig.SocketGroup = "docker"; > > }; > > > > Thank You > > = > > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting > > the vulnerablity and submitting a patch. > > > > References > > == > > > > Fix applied to 17.03: > > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b > 1d3efa988e > > > > Fix applied to unstable: > > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a > 89236d > > > > 16.09 and older are not affected. > > > > -BEGIN PGP SIGNATURE- > > > > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p > > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon > > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf > > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 > > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf > > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt > > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz > > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV > > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA > > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 > > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr > > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= > > =JnIC > > -END PGP SIGNATURE- > > ___ > > nix-dev mailing list > > nix-dev@lists.science.uu.nl > > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev > ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation
Worth noting: Running `nixos-rebuild switch` is insufficient to make this fix take effect. You may need to run `systemctl restart docker.socket` or reboot before the permissions on /run/docker.sock will be corrected. On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > Date:2017-04-03 > CVE-ID: CVE-2017-7412 > Service: docker > Type:local privilege escalation > > > Summary > === > > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which > allows local users to gain privileges by executing docker commands. > > NixOS 16.09 is not vulnerable. > > Resolution > == > > # nix-channel --update > > and ensure your NixOS channel is advanced to 17.03.887 or greater. > > Workaround > == > > Manually apply socket permission restrictions to the Docker socket. In > your configuration.nix: > > systemd.sockets.docker = { > socketConfig.SocketMode = "0660"; > socketConfig.SocketUser = "root"; > socketConfig.SocketGroup = "docker"; > }; > > Thank You > = > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting > the vulnerablity and submitting a patch. > > References > == > > Fix applied to 17.03: > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e > > Fix applied to unstable: > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a89236d > > 16.09 and older are not affected. > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= > =JnIC > -END PGP SIGNATURE- > ___ > nix-dev mailing list > nix-dev@lists.science.uu.nl > http://lists.science.uu.nl/mailman/listinfo/nix-dev ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev
[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Date:2017-04-03 CVE-ID: CVE-2017-7412 Service: docker Type:local privilege escalation Summary === NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which allows local users to gain privileges by executing docker commands. NixOS 16.09 is not vulnerable. Resolution == # nix-channel --update and ensure your NixOS channel is advanced to 17.03.887 or greater. Workaround == Manually apply socket permission restrictions to the Docker socket. In your configuration.nix: systemd.sockets.docker = { socketConfig.SocketMode = "0660"; socketConfig.SocketUser = "root"; socketConfig.SocketGroup = "docker"; }; Thank You = Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting the vulnerablity and submitting a patch. References == Fix applied to 17.03: https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e Fix applied to unstable: https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a89236d 16.09 and older are not affected. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6 iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983 OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk= =JnIC -END PGP SIGNATURE- ___ nix-dev mailing list nix-dev@lists.science.uu.nl http://lists.science.uu.nl/mailman/listinfo/nix-dev