Skip to content

Commit 3068415

Browse files
tianontianon
committed
Widen permissions on "client/key.pem" (especially for unprivileged usage)
1 parent 4975dca commit 3068415

File tree

5 files changed

+5
-0
lines changed

5 files changed

+5
-0
lines changed

18.09-rc/dind/dockerd-entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ _tls_generate_certs() {
6666
# if we have a CA private key, we should create/manage a client key
6767
mkdir -p "$dir/client"
6868
_tls_ensure_private "$dir/client/key.pem"
69+
chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts
6970
openssl req -new \
7071
-key "$dir/client/key.pem" \
7172
-out "$dir/client/csr.pem" \

18.09/dind/dockerd-entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ _tls_generate_certs() {
6666
# if we have a CA private key, we should create/manage a client key
6767
mkdir -p "$dir/client"
6868
_tls_ensure_private "$dir/client/key.pem"
69+
chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts
6970
openssl req -new \
7071
-key "$dir/client/key.pem" \
7172
-out "$dir/client/csr.pem" \

19.03-rc/dind/dockerd-entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ _tls_generate_certs() {
6666
# if we have a CA private key, we should create/manage a client key
6767
mkdir -p "$dir/client"
6868
_tls_ensure_private "$dir/client/key.pem"
69+
chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts
6970
openssl req -new \
7071
-key "$dir/client/key.pem" \
7172
-out "$dir/client/csr.pem" \

19.03/dind/dockerd-entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ _tls_generate_certs() {
6666
# if we have a CA private key, we should create/manage a client key
6767
mkdir -p "$dir/client"
6868
_tls_ensure_private "$dir/client/key.pem"
69+
chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts
6970
openssl req -new \
7071
-key "$dir/client/key.pem" \
7172
-out "$dir/client/csr.pem" \

dockerd-entrypoint.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,7 @@ _tls_generate_certs() {
6666
# if we have a CA private key, we should create/manage a client key
6767
mkdir -p "$dir/client"
6868
_tls_ensure_private "$dir/client/key.pem"
69+
chmod 0644 "$dir/client/key.pem" # openssl defaults to 0600 for the private key, but this one needs to be shared with arbitrary client contexts
6970
openssl req -new \
7071
-key "$dir/client/key.pem" \
7172
-out "$dir/client/csr.pem" \

0 commit comments

Comments
 (0)