docker: fix socket permissions

Docker socket is world writable. This means any user on the system is able to invoke docker command. (Which is equal to having a root access to the machine.) This commit makes socket group-writable and owned by docker group. Inspired by https://github.com/docker/docker/blob/master/contrib/init/systemd/docker.socket
author: Alexey Shmalko <rasen.dubi@gmail.com> 2017-03-27 16:11:44 +0300
committer: Graham Christensen <graham@grahamc.com> 2017-04-03 09:05:37 -0400
commit: fa4fe7110566d8370983fa81f2b04a833339236d (patch)
tree: 3202ae71ea9f60182e2b6d7e1193e8b64bee8a29 /nixos/modules/virtualisation/docker.nix
parent: a29d0df28c3036e26c1806fe9172e79c0ab386ed (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/virtualisation/docker.nix b/nixos/modules/virtualisation/docker.nix
index 4b30a38f832f..f1101d7ea66e 100644
--- a/nixos/modules/virtualisation/docker.nix
+++ b/nixos/modules/virtualisation/docker.nix
@@ -126,7 +126,17 @@ in
 
         path = [ pkgs.kmod ] ++ (optional (cfg.storageDriver == "zfs") pkgs.zfs);
       };
-      systemd.sockets.docker.socketConfig.ListenStream = cfg.listenOptions;
+
+      systemd.sockets.docker = {
+        description = "Docker Socket for the API";
+        wantedBy = [ "sockets.target" ];
+        socketConfig = {
+          ListenStream = cfg.listenOptions;
+          SocketMode = "0660";
+          SocketUser = "root";
+          SocketGroup = "docker";
+        };
+      };
     }
   ]);
author	Alexey Shmalko <rasen.dubi@gmail.com>	2017-03-27 16:11:44 +0300
committer	Graham Christensen <graham@grahamc.com>	2017-04-03 09:05:37 -0400
commit	fa4fe7110566d8370983fa81f2b04a833339236d (patch)
tree	3202ae71ea9f60182e2b6d7e1193e8b64bee8a29 /nixos/modules/virtualisation/docker.nix
parent	a29d0df28c3036e26c1806fe9172e79c0ab386ed (diff)