[Nix-dev] NixOS Security Advisory: Docker Local Privilege Escalation

[Graham Christensen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Date:    2017-04-03
CVE-ID:  CVE-2017-7412
Service: docker
Type:    local privilege escalation


Summary
=======

NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
allows local users to gain privileges by executing docker commands.

NixOS 16.09 is not vulnerable.

Resolution
==========

# nix-channel --update

and ensure your NixOS channel is advanced to 17.03.887 or greater.

Workaround
==========

Manually apply socket permission restrictions to the Docker socket. In
your configuration.nix:

  systemd.sockets.docker = {
    socketConfig.SocketMode = "0660";
    socketConfig.SocketUser = "root";
    socketConfig.SocketGroup = "docker";
  };

Thank You
=========
Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
the vulnerablity and submitting a patch.

References
==========

Fix applied to 17.03:
https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e

Fix applied to unstable:
https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a833339236d

16.09 and older are not affected.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5qYACgkQBhIdNm/p
Q1zX7hAAr8SXo49f8eVc5k1vryUQmESaKDRkVPtk5AANyHiXhBsViUdNVlHsPvon
Ciqfl/3vMcaBJGiXOYXRurZIy9i5XQuhMfTYDcA38qXqM2Sn0eyEYi38xJZGdZqf
d2ajClcfHh70jqtdJpuffhc4eWoN7Y+5TrkKG7wANRBX4rXfmPtcpzESBzVhQNu6
iarJhjypr0M/9cTDG7k9E5kV2HyFlRUpSIhmNhPsM1N3DioSuCtfQcy2K3KnRRQf
1jWvt5fvq/pjLCZ4Z3JiVj6NUai46HoD99iBVXeCsEHh9DLZmidrT5lrW2RP0Cyt
PQSiM/dZBeqPyRCQ7yRUcJrUjMHJQMM75T2SwCP8+UDAbNRSlJWwJy3ml5KukBcz
zUJNBj1BY2/6CmGqoopuF1GkqtIuwO7gXt/U9ze8N32epXb2EVk3xzNRqjuw6YWV
uBIQU68sWkKIYqw1Fi32UILBhn3CRBuK5S7I05zDgNKi15s98GGqMlIyPcPpn+YA
mX3zt6Jll8b3eN8vnZezW6HZdCC3lEwlfJ9Oxenodp8/JjPa9q/PnUiRd+FBK983
OF7bJCsuM028FB21GsyqksW/YhBaTUT3mjk2ua/LJ2kw+3XauQB3Pb9mnk8/Pssr
RqRyYacgAxZvtpdD/DzS9HLwwiXmNWAm/iXOrI4A1SR5zA/Xgvk=
=JnIC
-----END PGP SIGNATURE-----