subject:"\[Nix\-dev\] NixOS Security Advisory\: Docker Local Privilege Escalation"

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

2017-04-05 Thread Vladimír Čunát

On 04/05/2017 08:25 PM, ben...@gmail.com wrote:
> I really don't know - I just observed that behaviour when I went to
> deploy the fix to my own systems.  It does seem like a bug, but I'm not
> familiar enough with nixos's systemd integration to explain it.

I suspect this line:
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/system/activation/switch-to-configuration.pl#L206

--Vladimir

___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

2017-04-05 Thread ben...@gmail.com

I really don't know - I just observed that behaviour when I went to deploy
the fix to my own systems.  It does seem like a bug, but I'm not familiar
enough with nixos's systemd integration to explain it.

On Wed, Apr 5, 2017 at 1:27 PM, Daniel Peebles  wrote:

> Benley: any idea why that is? It seems kind of unusual for nixos-rebuild
> switch to not change things like that...
>
> On Tue, Apr 4, 2017 at 6:28 PM, ben...@gmail.com  wrote:
>
>> Worth noting:  Running `nixos-rebuild switch` is insufficient to make
>> this fix take effect.  You may need to run `systemctl restart
>> docker.socket` or reboot before the permissions on /run/docker.sock
>> will be corrected.
>>
>> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen 
>> wrote:
>> > -BEGIN PGP SIGNED MESSAGE-
>> > Hash: SHA256
>> >
>> >
>> > Date:2017-04-03
>> > CVE-ID:  CVE-2017-7412
>> > Service: docker
>> > Type:local privilege escalation
>> >
>> >
>> > Summary
>> > ===
>> >
>> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
>> > allows local users to gain privileges by executing docker commands.
>> >
>> > NixOS 16.09 is not vulnerable.
>> >
>> > Resolution
>> > ==
>> >
>> > # nix-channel --update
>> >
>> > and ensure your NixOS channel is advanced to 17.03.887 or greater.
>> >
>> > Workaround
>> > ==
>> >
>> > Manually apply socket permission restrictions to the Docker socket. In
>> > your configuration.nix:
>> >
>> >   systemd.sockets.docker = {
>> > socketConfig.SocketMode = "0660";
>> > socketConfig.SocketUser = "root";
>> > socketConfig.SocketGroup = "docker";
>> >   };
>> >
>> > Thank You
>> > =
>> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
>> > the vulnerablity and submitting a patch.
>> >
>> > References
>> > ==
>> >
>> > Fix applied to 17.03:
>> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8f
>> b6ba3f374b1d3efa988e
>> >
>> > Fix applied to unstable:
>> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983
>> fa81f2b04a89236d
>> >
>> > 16.09 and older are not affected.
>> >
>> > -BEGIN PGP SIGNATURE-
>> >
>> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
>> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
>> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
>> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
>> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
>> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
>> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
>> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
>> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
>> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
>> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
>> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
>> > =JnIC
>> > -END PGP SIGNATURE-
>> > ___
>> > nix-dev mailing list
>> > nix-dev@lists.science.uu.nl
>> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
>> ___
>> nix-dev mailing list
>> nix-dev@lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

2017-04-05 Thread Daniel Peebles

Benley: any idea why that is? It seems kind of unusual for nixos-rebuild
switch to not change things like that...

On Tue, Apr 4, 2017 at 6:28 PM, ben...@gmail.com  wrote:

> Worth noting:  Running `nixos-rebuild switch` is insufficient to make
> this fix take effect.  You may need to run `systemctl restart
> docker.socket` or reboot before the permissions on /run/docker.sock
> will be corrected.
>
> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen 
> wrote:
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> >
> > Date:2017-04-03
> > CVE-ID:  CVE-2017-7412
> > Service: docker
> > Type:local privilege escalation
> >
> >
> > Summary
> > ===
> >
> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
> > allows local users to gain privileges by executing docker commands.
> >
> > NixOS 16.09 is not vulnerable.
> >
> > Resolution
> > ==
> >
> > # nix-channel --update
> >
> > and ensure your NixOS channel is advanced to 17.03.887 or greater.
> >
> > Workaround
> > ==
> >
> > Manually apply socket permission restrictions to the Docker socket. In
> > your configuration.nix:
> >
> >   systemd.sockets.docker = {
> > socketConfig.SocketMode = "0660";
> > socketConfig.SocketUser = "root";
> > socketConfig.SocketGroup = "docker";
> >   };
> >
> > Thank You
> > =
> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
> > the vulnerablity and submitting a patch.
> >
> > References
> > ==
> >
> > Fix applied to 17.03:
> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b
> 1d3efa988e
> >
> > Fix applied to unstable:
> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a
> 89236d
> >
> > 16.09 and older are not affected.
> >
> > -BEGIN PGP SIGNATURE-
> >
> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
> > =JnIC
> > -END PGP SIGNATURE-
> > ___
> > nix-dev mailing list
> > nix-dev@lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

2017-04-04 Thread ben...@gmail.com

Worth noting:  Running `nixos-rebuild switch` is insufficient to make
this fix take effect.  You may need to run `systemctl restart
docker.socket` or reboot before the permissions on /run/docker.sock
will be corrected.

On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
> Date:2017-04-03
> CVE-ID:  CVE-2017-7412
> Service: docker
> Type:local privilege escalation
>
>
> Summary
> ===
>
> NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
> allows local users to gain privileges by executing docker commands.
>
> NixOS 16.09 is not vulnerable.
>
> Resolution
> ==
>
> # nix-channel --update
>
> and ensure your NixOS channel is advanced to 17.03.887 or greater.
>
> Workaround
> ==
>
> Manually apply socket permission restrictions to the Docker socket. In
> your configuration.nix:
>
>   systemd.sockets.docker = {
> socketConfig.SocketMode = "0660";
> socketConfig.SocketUser = "root";
> socketConfig.SocketGroup = "docker";
>   };
>
> Thank You
> =
> Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
> the vulnerablity and submitting a patch.
>
> References
> ==
>
> Fix applied to 17.03:
> https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e
>
> Fix applied to unstable:
> https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a89236d
>
> 16.09 and older are not affected.
>
> -BEGIN PGP SIGNATURE-
>
> iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
> Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
> Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
> d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
> iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
> 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
> PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
> zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
> uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
> mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
> OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
> RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
> =JnIC
> -END PGP SIGNATURE-
> ___
> nix-dev mailing list
> nix-dev@lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

2017-04-03 Thread Graham Christensen

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


Date:2017-04-03
CVE-ID:  CVE-2017-7412
Service: docker
Type:local privilege escalation


Summary
===

NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
allows local users to gain privileges by executing docker commands.

NixOS 16.09 is not vulnerable.

Resolution
==

# nix-channel --update

and ensure your NixOS channel is advanced to 17.03.887 or greater.

Workaround
==

Manually apply socket permission restrictions to the Docker socket. In
your configuration.nix:

  systemd.sockets.docker = {
socketConfig.SocketMode = "0660";
socketConfig.SocketUser = "root";
socketConfig.SocketGroup = "docker";
  };

Thank You
=
Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
the vulnerablity and submitting a patch.

References
==

Fix applied to 17.03:
https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e

Fix applied to unstable:
https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a89236d

16.09 and older are not affected.

-BEGIN PGP SIGNATURE-

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
=JnIC
-END PGP SIGNATURE-
___
nix-dev mailing list
nix-dev@lists.science.uu.nl
http://lists.science.uu.nl/mailman/listinfo/nix-dev

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

Re: [Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

5 matches

Site Navigation

Mail list logo

Footer information