[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

Wed Apr 5 00:28:42 CEST 2017

Worth noting:  Running `nixos-rebuild switch` is insufficient to make
this fix take effect.  You may need to run `systemctl restart
docker.socket` or reboot before the permissions on /run/docker.sock
will be corrected.

On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen <graham at grahamc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
>
> Date:    2017-04-03
> CVE-ID:  CVE-2017-7412
> Service: docker
> Type:    local privilege escalation
>
>
> Summary
> =======
>
> NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
> allows local users to gain privileges by executing docker commands.
>
> NixOS 16.09 is not vulnerable.
>
> Resolution
> ==========
>
> # nix-channel --update
>
> and ensure your NixOS channel is advanced to 17.03.887 or greater.
>
> Workaround
> ==========
>
> Manually apply socket permission restrictions to the Docker socket. In
> your configuration.nix:
>
>   systemd.sockets.docker = {
>     socketConfig.SocketMode = "0660";
>     socketConfig.SocketUser = "root";
>     socketConfig.SocketGroup = "docker";
>   };
>
> Thank You
> =========
> Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
> the vulnerablity and submitting a patch.
>
> References
> ==========
>
> Fix applied to 17.03:
> https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e
>
> Fix applied to unstable:
> https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a833339236d
>
> 16.09 and older are not affected.
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
> Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
> Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
> d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
> iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
> 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
> PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
> zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
> uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
> mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
> OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
> RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
> =JnIC
> -----END PGP SIGNATURE-----
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev