diff options
author | Alexey Shmalko <rasen.dubi@gmail.com> | 2017-03-27 16:11:44 +0300 |
---|---|---|
committer | Graham Christensen <graham@grahamc.com> | 2017-04-03 09:05:37 -0400 |
commit | fa4fe7110566d8370983fa81f2b04a833339236d (patch) | |
tree | 3202ae71ea9f60182e2b6d7e1193e8b64bee8a29 /nixos/modules/virtualisation/docker.nix | |
parent | a29d0df28c3036e26c1806fe9172e79c0ab386ed (diff) | |
download | nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar.gz nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar.bz2 nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar.lz nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar.xz nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.tar.zst nixpkgs-fa4fe7110566d8370983fa81f2b04a833339236d.zip |
docker: fix socket permissions
Docker socket is world writable. This means any user on the system is able to invoke docker command. (Which is equal to having a root access to the machine.) This commit makes socket group-writable and owned by docker group. Inspired by https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
Diffstat (limited to 'nixos/modules/virtualisation/docker.nix')
-rw-r--r-- | nixos/modules/virtualisation/docker.nix | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix index 4b30a38f832..f1101d7ea66 100644 --- a/nixos/modules/virtualisation/docker.nix +++ b/nixos/modules/virtualisation/docker.nix @@ -126,7 +126,17 @@ in path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs); }; - systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions; + + systemd.sockets.docker = { + description = "Docker Socket for the API"; + wantedBy = [ "sockets.target" ]; + socketConfig = { + ListenStream = cfg.listenOptions; + SocketMode = "0660"; + SocketUser = "root"; + SocketGroup = "docker"; + }; + }; } ]); |