On 14 July 2016 at 08:22, Nicolas Braud-Santoni
<nico...@braud-santoni.eu> wrote:
> Would simply making the directory mode 0711 be acceptable, then?
Since we're already there for new installs ("drwxr-xr-x"), I think
something to adjust upgrades would be prudent, but I'd love to see if
we can find a way to detect specifically the permissions the Docker
engine sets when it creates and only adjust _those_ (ie, not just "was
this created by an old version of the package", but more strongly
"does the current state match the undesirable state") so that users
who've modified these permissions themselves can keep their
modifications without us trampling them. Does that make sense?
>> IIRC, the only "private" thing in /etc/docker is "key.json" -- does
>> Docker set appropriately private permissions on that file as well as
>> the directory?
>
> In a fresh sid VM, installing docker.io results in a /etc/docker/key.json
> that has mode 0700 and ownership root:root, so yes.
>
> If you are concerned about future behaviour changes,
> you can create an autopkgtest for this.
I'm not really worried about them regressing in this regard -- if
they're currently setting reasonable permissions on "key.json", their
past behavior tells me they'll likely continue doing so. :)
(Also, "/etc/docker/daemon.json" is now a user-supplied configuration
file, so upstream is having to be slightly more conscious about this
directory having open permissions.)
♥,
- Tianon
4096R / B42F 6819 007F 00F8 8E36 4FD4 036A 9C25 BF35 7DD4
