Bug 1388156

Summary:	Evaluate and tighten directory and file permissions under /var/lib/docker
Product:	Red Hat Enterprise Linux 7	Reporter:	Matthew Robson <mrobson>
Component:	docker	Assignee:	Antonio Murdaca <amurdaca>
Status:	CLOSED CURRENTRELEASE	QA Contact:	atomic-bugs <atomic-bugs>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.2	CC:	amurdaca, dwalsh, lsm5, vgoyal
Target Milestone:	rc	Keywords:	Extras
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-06-30 15:17:06 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Matthew Robson 2016-10-24 15:33:59 UTC

Description of problem:

Certain files within a container under /var/lib/docker have world read / world execute privileges.  I can see specifically in the docker source these files / directories are being created with these permissions.

Files in a container generally have at least 0644

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34

Secrets directory / files are 0755

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets

Devicemapper mnt is 0755

/var/lib/docker/devicemapper/mnt

Varying files / directories under image are 0755 and 0644

/var/lib/docker/image/devicemapper/distribution

Examples;

/var/lib/docker/containers:
total 4
drwx------ 4 root root 4096 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34
drwx------ 3 root root  143 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34:
total 24
-rw-r----- 1 root root    0 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34-json.log
-rw-r--r-- 1 root root 5522 Oct 20 16:42 config.v2.json
-rw-r--r-- 1 root root  957 Oct 20 16:42 hostconfig.json
-rw-r--r-- 1 root root   37 Oct 20 16:42 hostname
-rw-r--r-- 1 root root 1189 Oct 20 16:42 hosts
-rw-r--r-- 1 root root  227 Oct 20 16:42 resolv.conf
drwxr-xr-x 4 root root   60 Oct 20 16:42 secrets
drwx------ 2 root root    6 Oct 20 16:42 shm

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets:
total 60
drwxr-xr-x 2 root root    70 Oct 20 16:42 etc-pki-entitlement
-rwxr-xr-x 1 root root 59223 Oct 20 16:42 rhel7.repo
drwxr-xr-x 3 root root    50 Oct 20 16:42 rhsm

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/etc-pki-entitlement:
total 24
-rwxr-xr-x 1 root root  1679 Oct 20 16:42 5528057471204017288-key.pem
-rwxr-xr-x 1 root root 18060 Oct 20 16:42 5528057471204017288.pem

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm:
total 8
drwxr-xr-x 2 root root   27 Oct 20 16:42 ca
-rwxr-xr-x 1 root root 1492 Oct 20 16:42 logging.conf
-rwxr-xr-x 1 root root 1659 Oct 20 16:42 rhsm.conf

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm/ca:
total 8
-rwxr-xr-x 1 root root 7732 Oct 20 16:42 redhat-uep.pem

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/shm:
total 0

Plus a few other examples;

/var/lib/docker/devicemapper/mnt:
total 0
drwxr-xr-x. 2 root root 6 Oct 13 22:50 22a063830befffc56f0848622670610b378f2684f4a7a869834d2dae473184c8
drwxr-xr-x  2 root root 6 Oct 14 16:40 47ac0eaf16509c8d9e597d12827b4d9b2d60cf014f0ef6d40dcaa7ab89635620
drwxr-xr-x. 2 root root 6 Sep 30 22:52 4b84e731a8bfef8e6f892157ae0ea9ba53a4eb7b6d6b24a7bebb178e44ba878b
drwxr-xr-x. 2 root root 6 Sep 30 22:52 755b27f6674c7994001d83615331e74e3d64a28c1791dff980239a6e8402b889
drwxr-xr-x. 2 root root 6 Sep 30 22:51 7a8f95796b912c1c0a7093f5df65917ab301ff082c15b1632e81ac501f561ad8
drwxr-xr-x. 2 root root 6 Oct 13 22:50 9200caf9cb7c493df30a5bc5150ecf814091f42610a0a71a8f8ce39c01f1a1f2
drwxr-xr-x  2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347
drwxr-xr-x  2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347-init
drwxr-xr-x. 2 root root 6 Oct 13 22:50 ba9e0f4d72660e01a817b251b4ef4de5201d63006381ca6bf1e3bd10f4eb846b
drwxr-xr-x. 2 root root 6 Sep 30 22:51 bc8007282b5cdf6f8951f4d7ebbe8f42fcd1fe236c4d0cb04fe33f21c7019f40
drwxr-xr-x  2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08
drwxr-xr-x  2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08-init
drwxr-xr-x. 2 root root 6 Sep 30 22:51 d377ba36801b20e01a93040fb572fe11ae30a1fe7729b9f54aa3e50c49d86828
drwxr-xr-x. 2 root root 6 Oct 12 19:09 f650e29bd4547811b688ca6d675931ea8285909651879d04d66a53e999b28067
drwxr-xr-x. 2 root root 6 Sep 30 22:51 fe4b6f44a992dd644ce4d4030bd6de963557b1b9ccba4bf153d22be158e3098b

/var/lib/docker/image/devicemapper/distribution:
total 0
drwxr-xr-x. 3 root root 19 Sep 30 22:51 diffid-by-digest
drwxr-xr-x. 3 root root 19 Sep 30 22:51 v2metadata-by-diffid

/var/lib/docker/image/devicemapper/distribution/diffid-by-digest:
total 4
drwxr-xr-x. 2 root root 4096 Oct 14 16:40 sha256

/var/lib/docker/image/devicemapper/distribution/diffid-by-digest/sha256:
total 44
-rw-r--r--. 1 root root 71 Sep 30 22:52 17a933729cb7c609461f27522475645e75214537370985c546a2a72157379c8f
-rw-r--r--. 1 root root 71 Oct 13 22:50 28e734cf25407abe469be9069fff804e24810727e4bd3d67813dc6a5d87d0139
-rw-r--r--. 1 root root 71 Sep 30 22:51 30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9
-rw-r--r--. 1 root root 71 Oct 13 22:50 450a9a5724ff512d1994da1a24cdc66316ed7f06c5fa7e6b271cb42e4e57f965
-rw-r--r--  1 root root 71 Oct 14 16:40 6438277f9132bf1565b674f88706a883691aa6194004ef73c8f1a0d8be4b57ef
-rw-r--r--. 1 root root 71 Oct 13 22:50 94422a9b642e87814aca4bce2ab33824bca0e49897b4ef49c90c34c047aec415
-rw-r--r--. 1 root root 71 Sep 30 22:52 9906236125e93117b6101f14add9db02aff99952346b4cfde8191f1cbd9cb291
-rw-r--r--. 1 root root 71 Sep 30 22:51 99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed
-rw-r--r--. 1 root root 71 Sep 30 22:52 9e45f9acaaccc149feec79ae1193b090223e977b172e60c8e2c3283dc97770e1
-rw-r--r--. 1 root root 71 Sep 30 22:51 b0423fb7779ad5cd5e49803e60c10cc24ff6f9f93347a9fe1200cabf3acf6312
-rw-r--r--. 1 root root 71 Oct 12 19:09 b7407808f480c7dc93135b3ccd87e11e0c411a2431ef40cf72d5bb6dd691385e

/var/lib/docker/image/devicemapper/layerdb:
total 8
drwxr-xr-x.  4 root root 4096 Oct 20 16:43 mounts
drwxr-xr-x. 13 root root 4096 Oct 14 16:40 sha256
drwxr-xr-x.  2 root root    6 Oct 14 16:40 tmp

/var/lib/docker/image/devicemapper/layerdb/mounts:
total 0
drwxr-xr-x 2 root root 48 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34
drwxr-xr-x 2 root root 48 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a

/var/lib/docker/image/devicemapper/layerdb/mounts/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34:
total 12
-rw-r--r-- 1 root root 69 Oct 20 16:42 init-id
-rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id
-rw-r--r-- 1 root root 71 Oct 20 16:42 parent

/var/lib/docker/image/devicemapper/layerdb/mounts/5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a:
total 12
-rw-r--r-- 1 root root 69 Oct 20 16:42 init-id
-rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id
-rw-r--r-- 1 root root 71 Oct 20 16:42 parent

/var/lib/docker/image/devicemapper/layerdb/sha256/07178b0237740885b413816f67a9173eb09e90d53c1cb8dcfa375ace183ab502:
total 24
-rw-r--r--. 1 root root   64 Sep 30 22:51 cache-id
-rw-r--r--. 1 root root   71 Sep 30 22:51 diff
-rw-r--r--. 1 root root   71 Sep 30 22:51 parent
-rw-r--r--. 1 root root    8 Sep 30 22:51 size
-rw-r--r--. 1 root root 5521 Sep 30 22:51 tar-split.json.gz


Version-Release number of selected component (if applicable):
docker / docker-latest

How reproducible:
100%

Steps to Reproduce:
1. start a container in docker or openshift

Actual results:
Many directories and files with world readable / executable permissions

Expected results:
Tighter permissions related to files and directories of containers from the host point.


Additional info:

Comment 3 Daniel Walsh 2016-10-24 18:03:53 UTC

Antonio lets look at tightening the secrets patch from 0755 to 0700

Comment 4 Daniel Walsh 2016-10-24 18:05:22 UTC

Vivek any reason you know that we could not tighten the image directories to 700?  or 750?

The files like resolv.conf have to be 644.

Comment 5 Antonio Murdaca 2016-10-25 13:55:08 UTC

The secret patch now creates files and directory with 700. Fixed in docker-1.13, I've also created PRs for docker-1.12 and docker-1.12.2.

Comment 6 Daniel Walsh 2017-06-30 15:17:06 UTC

Fixed in the current release.