[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

Daniel Peebles pumpkingod at gmail.com
Wed Apr 5 19:27:35 CEST 2017 

Benley: any idea why that is? It seems kind of unusual for nixos-rebuild
switch to not change things like that...

On Tue, Apr 4, 2017 at 6:28 PM, benley at gmail.com <benley at gmail.com> wrote:

> Worth noting:  Running `nixos-rebuild switch` is insufficient to make
> this fix take effect.  You may need to run `systemctl restart
> docker.socket` or reboot before the permissions on /run/docker.sock
> will be corrected.
>
> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen <graham at grahamc.com>
> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> >
> > Date:    2017-04-03
> > CVE-ID:  CVE-2017-7412
> > Service: docker
> > Type:    local privilege escalation
> >
> >
> > Summary
> > =======
> >
> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
> > allows local users to gain privileges by executing docker commands.
> >
> > NixOS 16.09 is not vulnerable.
> >
> > Resolution
> > ==========
> >
> > # nix-channel --update
> >
> > and ensure your NixOS channel is advanced to 17.03.887 or greater.
> >
> > Workaround
> > ==========
> >
> > Manually apply socket permission restrictions to the Docker socket. In
> > your configuration.nix:
> >
> >   systemd.sockets.docker = {
> >     socketConfig.SocketMode = "0660";
> >     socketConfig.SocketUser = "root";
> >     socketConfig.SocketGroup = "docker";
> >   };
> >
> > Thank You
> > =========
> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
> > the vulnerablity and submitting a patch.
> >
> > References
> > ==========
> >
> > Fix applied to 17.03:
> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b
> 1d3efa988e
> >
> > Fix applied to unstable:
> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a
> 833339236d
> >
> > 16.09 and older are not affected.
> >
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
> > =JnIC
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > nix-dev mailing list
> > nix-dev at lists.science.uu.nl
> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
> _______________________________________________
> nix-dev mailing list
> nix-dev at lists.science.uu.nl
> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170405/cdcdf603/attachment-0001.html>

More information about the nix-dev mailing list