movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

docker: fix socket permissions

Browse source 
Docker socket is world writable. This means any user on the system is
able to invoke docker command. (Which is equal to having a root access
to the machine.)

This commit makes socket group-writable and owned by docker group.

Inspired by
https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
This commit is contained in:
Alexey Shmalko 2017-03-27 16:11:44 +03:00 committed by Graham Christensen
parent a29d0df28c
commit fa4fe71105
No known key found for this signature in database
GPG key ID: 06121D366FE9435C
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
nixos/modules/virtualisation/docker.nix
View file

@ -126,7 +126,17 @@ in
path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs); path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
}; };
systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions;
systemd.sockets.docker = {
description = "Docker Socket for the API";
wantedBy = [ "sockets.target" ];
socketConfig = {
ListenStream = cfg.listenOptions;
SocketMode = "0660";
SocketUser = "root";
SocketGroup = "docker";
};
};
} }
]); ]);