On 14 July 2016 at 07:55, Nicolas Braud-Santoni <nico...@braud-santoni.eu> wrote: > I attached a patch that makes /etc/docker owned by 'root:docker' with > mode 0710. The matching fix in docker-registry is to make the user > docker-registry a member of the docker group (creating it if required), > and apply those permissions to /etc/docker.
This is actually really dangerous, and opens up the "docker-registry" user to unconstrained root access on the host machine if both docker-registry and docker.io are installed. :( (Access to the "docker" group means access to the Docker daemon socket which means the ability to launch privileged containers.) IIRC, the only "private" thing in /etc/docker is "key.json" -- does Docker set appropriately private permissions on that file as well as the directory? ♥, - Tianon 4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
