Bug 2138434

Summary: podman: ubi8 sticky bit removed from /tmp
Product: Red Hat Enterprise Linux 8 Reporter: rseip
Component: podmanAssignee: Jindrich Novy <jnovy>
Status: CLOSED ERRATA QA Contact: Joy Pu <ypu>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.6CC: alex.wayfer, bbaude, dornelas, dwalsh, fryguy9, jligon, jnovy, jwboyer, lfriedma, lsm5, mbasti, mheon, nalin, pthomas, tsweeney, umohnani, yorgos.saslis, ypu
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 8.8   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: podman-4.4.0-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2141452 2152023 2152027 (view as bug list) Environment:
Last Closed: 2023-05-16 08:22:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141452, 2152001    
Bug Blocks: 2152023, 2152027    

Description rseip 2022-10-28 19:37:16 UTC 
Description of problem:

The sticky bit has been removed from /tmp directory in ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983. It was present in previous image ubi8/ubi:8.6-943.1665521450.

Version-Release number of selected component (if applicable):

ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983

How reproducible: see Steps to Reproduce below.

Steps to Reproduce:
1. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-990 ls -ld /tmp
2. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-983 ls -ld /tmp
3. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450 ls -ld /tmp

Actual results:

For ubi8/ubi:8.6-983:

drwxrwxrwx. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwx. 2 root root 58 Oct 26 11:23 /tmp

Expected results:

For ubi8/ubi:8.6-983:

drwxrwxrwt. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwt. 2 root root 58 Oct 26 11:23 /tmp

Additional info:

No longer compliant with https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-stig.html#xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
Comment 1 Jason Frey 2022-11-08 16:28:23 UTC 
One side effect of this is that in Ruby, `Dir.tmpdir` refuses to use /tmp dir resulting in an exception: "ArgumentError (could not find a temporary directory)".  See also https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3933.


Another view using `stat`

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450

[root@6dc45f004085 /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-983

[root@68270b51c126 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)
Comment 2 Jason Frey 2022-11-08 17:23:37 UTC 
ubi9 is also affected as of ubi9/ubi:9.0.0-1640.1666621574.


$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi9/ubi:9.0.0-1640.1665068441

[root@35e71c989f5a /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:9.0.0-1640.1666621574

[root@d4a641cdda41 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)


Additionally, the minimal variants also are affected.

One interesting note here is that this also aligns in what appears to be a reduction from 2 layers to 1 layer which can be seen during a docker pull.
Comment 4 Derrick Ornelas 2022-11-09 18:55:13 UTC 
This appears to be a podman issue. The new image build system now uses podman, and during the build the sticky bit is removed for a yet unknown reason.
Comment 5 Derrick Ornelas 2022-11-09 18:57:32 UTC 
*** Bug 2138431 has been marked as a duplicate of this bug. ***
Comment 18 Joy Pu 2023-02-13 08:09:31 UTC 
Test with podman-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 and the t show up in the ls output. So move it to verified. More details:
# podman build -t test .
STEP 1/23: FROM scratch
STEP 2/23: ADD rhel-base-fs-container-8.6-2480.x86_64.tar.gz /
--> 3390829f087
STEP 3/23: ADD tls-ca-bundle.pem /tmp/tls-ca-bundle.pem
--> 54bc11249fa
STEP 4/23: ADD atomic-reactor-repos/* /etc/yum.repos.d/
--> de3ccb65342
STEP 5/23: LABEL maintainer="Red Hat, Inc."
--> a7e84022ea3
STEP 6/23: LABEL com.redhat.component="ubi8-container"       name="ubi8"       version="8.6"
--> 9ce5f131243
STEP 7/23: LABEL com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI"
--> b51b159625f
STEP 8/23: LABEL summary="Provides the latest release of Red Hat Universal Base Image 8."
--> ae5b22e0bb0
STEP 9/23: LABEL description="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly."
--> 5b5b466fc71
STEP 10/23: LABEL io.k8s.display-name="Red Hat Universal Base Image 8"
--> d699ee1a20f
STEP 11/23: LABEL io.openshift.expose-services=""
--> c8cb65ef7e5
STEP 12/23: LABEL io.openshift.tags="base rhel8"
--> 0a2e37159a1
STEP 13/23: ENV container oci
--> 829cc16e751
STEP 14/23: ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--> 51b4447a80c
STEP 15/23: CMD ["/bin/bash"]
--> c9e8796d317
STEP 16/23: RUN rm -rf /var/log/*
--> cc04997188e
STEP 17/23: RUN mkdir -p /var/log/rhsm
--> 969a103b568
STEP 18/23: LABEL release=1054
--> 1380a84f29c
STEP 19/23: ADD ubi8-container-8.6-1054.json /root/buildinfo/content_manifests/ubi8-container-8.6-1054.json
--> 0d18e0302fe
STEP 20/23: ADD Dockerfile-ubi8-8.6-1054 /root/buildinfo/Dockerfile-ubi8-8.6-1054
--> 954877a1ca1
STEP 21/23: LABEL "distribution-scope"="public" "vendor"="Red Hat, Inc." "build-date"="2022-12-19T02:04:53" "architecture"="x86_64" "vcs-type"="git" "vcs-ref"="f1ee6e37554363ec55e0035aba1a693d3627fdeb" "io.k8s.description"="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly." "url"="https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.6-1054"
--> 593637f9054
STEP 22/23: RUN rm -f '/etc/yum.repos.d/beaker-AppStream.repo'
--> 97506e50914
STEP 23/23: RUN rm -f /tmp/tls-ca-bundle.pem
COMMIT test
--> 156b48d357b
Successfully tagged localhost/test:latest
156b48d357b955b7963905fdc541ffb8e410ab73e5d19008108bb7d0f986cfbb
# podman run test ls -ld /tmp
drwxrwxrwt. 1 root root 31 Feb 13 07:57 /tmp
Comment 20 errata-xmlrpc 2023-05-16 08:22:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2758