From fc576226b24e8b5db6e95e48967d56c5808f9fe9 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 14 Sep 2018 13:40:34 +0200 Subject: [PATCH] Loosen permissions on /etc/docker directory The `/etc/docker` directory is used both by the dockerd daemon and the docker cli (if installed on the saem host as the daemon). In situations where the `/etc/docker` directory does not exist, and an initial `key.json` (legacy trust key) is generated (at the default location), the `/etc/docker/` directory was created with 0700 permissions, making the directory only accessible by `root`. Given that the `0600` permissions on the key itself already protect it from being used by other users, the permissions of `/etc/docker` can be less restrictive. This patch changes the permissions for the directory to `0755`, so that the CLI (if executed as non-root) can also access this directory. > **NOTE**: "strictly", this patch is only needed for situations where no _custom_ > location for the trustkey is specified (not overridden with `--deprecated-key-path`), > but setting the permissions only for the "default" case would make > this more complicated. ```bash make binary shell make install ls -la /etc/ | grep docker dockerd ^C ls -la /etc/ | grep docker drwxr-xr-x 2 root root 4096 Sep 14 12:11 docker ``` Signed-off-by: Sebastiaan van Stijn (cherry picked from commit cecd9817177093be99c1c9bb0dcf43ccec14ad1d) Signed-off-by: Sebastiaan van Stijn --- daemon/trustkey.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/trustkey.go b/daemon/trustkey.go index bf00b6a3a0c4c..4d72c932f1485 100644 --- a/daemon/trustkey.go +++ b/daemon/trustkey.go @@ -17,7 +17,7 @@ import ( // TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need // a refactor or this function to be moved into libtrust func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) { - err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "") + err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "") if err != nil { return nil, err }