cecd981717
The `/etc/docker` directory is used both by the dockerd daemon and the docker cli (if installed on the saem host as the daemon). In situations where the `/etc/docker` directory does not exist, and an initial `key.json` (legacy trust key) is generated (at the default location), the `/etc/docker/` directory was created with 0700 permissions, making the directory only accessible by `root`. Given that the `0600` permissions on the key itself already protect it from being used by other users, the permissions of `/etc/docker` can be less restrictive. This patch changes the permissions for the directory to `0755`, so that the CLI (if executed as non-root) can also access this directory. > **NOTE**: "strictly", this patch is only needed for situations where no _custom_ > location for the trustkey is specified (not overridden with `--deprecated-key-path`), > but setting the permissions only for the "default" case would make > this more complicated. ```bash make binary shell make install ls -la /etc/ | grep docker dockerd ^C ls -la /etc/ | grep docker drwxr-xr-x 2 root root 4096 Sep 14 12:11 docker ``` Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
57 lines
1.8 KiB
Go
57 lines
1.8 KiB
Go
package daemon // import "github.com/docker/docker/daemon"
|
|
|
|
import (
|
|
"encoding/json"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/docker/docker/pkg/ioutils"
|
|
"github.com/docker/docker/pkg/system"
|
|
"github.com/docker/libtrust"
|
|
)
|
|
|
|
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
|
|
// otherwise generates a new one
|
|
// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
|
|
// a refactor or this function to be moved into libtrust
|
|
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
|
|
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0755, "")
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
|
|
if err == libtrust.ErrKeyFileDoesNotExist {
|
|
trustKey, err = libtrust.GenerateECP256PrivateKey()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error generating key: %s", err)
|
|
}
|
|
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Error serializing key: %s", err)
|
|
}
|
|
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
|
|
return nil, fmt.Errorf("Error saving key file: %s", err)
|
|
}
|
|
} else if err != nil {
|
|
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
|
|
}
|
|
return trustKey, nil
|
|
}
|
|
|
|
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
|
|
if ext == ".json" || ext == ".jwk" {
|
|
encoded, err = json.Marshal(key)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
|
|
}
|
|
} else {
|
|
pemBlock, err := key.PEMBlock()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
|
|
}
|
|
encoded = pem.EncodeToMemory(pemBlock)
|
|
}
|
|
return
|
|
}
|