[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

benley at gmail.com benley at gmail.com
Wed Apr 5 20:25:38 CEST 2017 

I really don't know - I just observed that behaviour when I went to deploy
the fix to my own systems.  It does seem like a bug, but I'm not familiar
enough with nixos's systemd integration to explain it.

On Wed, Apr 5, 2017 at 1:27 PM, Daniel Peebles <pumpkingod at gmail.com> wrote:

> Benley: any idea why that is? It seems kind of unusual for nixos-rebuild
> switch to not change things like that...
>
> On Tue, Apr 4, 2017 at 6:28 PM, benley at gmail.com <benley at gmail.com> wrote:
>
>> Worth noting:  Running `nixos-rebuild switch` is insufficient to make
>> this fix take effect.  You may need to run `systemctl restart
>> docker.socket` or reboot before the permissions on /run/docker.sock
>> will be corrected.
>>
>> On Mon, Apr 3, 2017 at 8:19 PM, Graham Christensen <graham at grahamc.com>
>> wrote:
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA256
>> >
>> >
>> > Date:    2017-04-03
>> > CVE-ID:  CVE-2017-7412
>> > Service: docker
>> > Type:    local privilege escalation
>> >
>> >
>> > Summary
>> > =======
>> >
>> > NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
>> > allows local users to gain privileges by executing docker commands.
>> >
>> > NixOS 16.09 is not vulnerable.
>> >
>> > Resolution
>> > ==========
>> >
>> > # nix-channel --update
>> >
>> > and ensure your NixOS channel is advanced to 17.03.887 or greater.
>> >
>> > Workaround
>> > ==========
>> >
>> > Manually apply socket permission restrictions to the Docker socket. In
>> > your configuration.nix:
>> >
>> >   systemd.sockets.docker = {
>> >     socketConfig.SocketMode = "0660";
>> >     socketConfig.SocketUser = "root";
>> >     socketConfig.SocketGroup = "docker";
>> >   };
>> >
>> > Thank You
>> > =========
>> > Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
>> > the vulnerablity and submitting a patch.
>> >
>> > References
>> > ==========
>> >
>> > Fix applied to 17.03:
>> > https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8f
>> b6ba3f374b1d3efa988e
>> >
>> > Fix applied to unstable:
>> > https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983
>> fa81f2b04a833339236d
>> >
>> > 16.09 and older are not affected.
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> >
>> > iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
>> > Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
>> > Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
>> > d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
>> > iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
>> > 1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
>> > PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
>> > zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
>> > uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
>> > mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
>> > OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
>> > RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
>> > =JnIC
>> > -----END PGP SIGNATURE-----
>> > _______________________________________________
>> > nix-dev mailing list
>> > nix-dev at lists.science.uu.nl
>> > http://lists.science.uu.nl/mailman/listinfo/nix-dev
>> _______________________________________________
>> nix-dev mailing list
>> nix-dev at lists.science.uu.nl
>> http://lists.science.uu.nl/mailman/listinfo/nix-dev
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.science.uu.nl/pipermail/nix-dev/attachments/20170405/65843eed/attachment.html>

More information about the nix-dev mailing list