Loosen permissions on /etc/docker directory

The `/etc/docker` directory is used both by the dockerd daemon and the docker cli (if installed on the saem host as the daemon). In situations where the `/etc/docker` directory does not exist, and an initial `key.json` (legacy trust key) is generated (at the default location), the `/etc/docker/` directory was created with 0700 permissions, making the directory only accessible by `root`. Given that the `0600` permissions on the key itself already protect it from being used by other users, the permissions of `/etc/docker` can be less restrictive. This patch changes the permissions for the directory to `0755`, so that the CLI (if executed as non-root) can also access this directory. > **NOTE**: "strictly", this patch is only needed for situations where no _custom_ > location for the trustkey is specified (not overridden with `--deprecated-key-path`), > but setting the permissions only for the "default" case would make > this more complicated. ```bash make binary shell make install ls -la /etc/ | grep docker dockerd ^C ls -la /etc/ | grep docker drwxr-xr-x 2 root root 4096 Sep 14 12:11 docker ``` Signed-off-by: Sebastiaan van Stijn <[email protected]>
docker-archive · Sep 14, 2018 · cecd981 · cecd981
1 parent 3735ea7
commit cecd981
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/daemon/trustkey.go b/daemon/trustkey.go
@@ -17,7 +17,7 @@ import (
 // TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
 // a refactor or this function to be moved into libtrust
 func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
-	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")
+	err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "")
 	if err != nil {
 		return nil, err
 	}