Bug 1958406

Summary: Twistlock flags mode of /var/run/crio/crio.sock
Product: OpenShift Container Platform Reporter: David Kaylor <dkaylor>
Component: NodeAssignee: Peter Hunt <pehunt>
Node sub component: CRI-O QA Contact: Sunil Choudhary <schoudha>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified CC: aos-bugs, dornelas, jligon, miabbott, mrussell, nstielau, walters
Version: 4.7   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:07:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Kaylor 2021-05-07 20:31:57 UTC 
OCP Version at Install Time: 4.7
RHCOS Version at Install Time: 4.7
Platform: AWS, bare metal
Architecture: x86_64

What are you trying to do? What is your use case?
This may not be a bug. If not, an explanation that can be taken back to Twistlock would be appreciated.

What happened? What went wrong or what did you expect?
A Twistlock scan shows the mode of the file is 755, but the file perms should not exceed 660 according to them.

What are the steps to reproduce your issue? Please try to reduce these steps to something that can be reproduced with a single RHCOS node.
The current mode can be confirmed with "ls -l /var/run/crio/crio.sock"
Comment 2 Peter Hunt 2021-05-10 20:15:03 UTC 
I can't think of a historical reason, it's just what golang does (see https://github.com/golang/go/issues/11822)

let's see what happens if we change it
Comment 3 Peter Hunt 2021-05-20 17:16:01 UTC 
4.8 fix attached
Comment 4 Peter Hunt 2021-05-21 12:53:44 UTC 
PR merged
Comment 9 errata-xmlrpc 2021-07-27 23:07:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438