Hide Forgot
Description of problem: Certain files within a container under /var/lib/docker have world read / world execute privileges. I can see specifically in the docker source these files / directories are being created with these permissions. Files in a container generally have at least 0644 /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34 Secrets directory / files are 0755 /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets Devicemapper mnt is 0755 /var/lib/docker/devicemapper/mnt Varying files / directories under image are 0755 and 0644 /var/lib/docker/image/devicemapper/distribution Examples; /var/lib/docker/containers: total 4 drwx------ 4 root root 4096 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34 drwx------ 3 root root 143 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34: total 24 -rw-r----- 1 root root 0 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34-json.log -rw-r--r-- 1 root root 5522 Oct 20 16:42 config.v2.json -rw-r--r-- 1 root root 957 Oct 20 16:42 hostconfig.json -rw-r--r-- 1 root root 37 Oct 20 16:42 hostname -rw-r--r-- 1 root root 1189 Oct 20 16:42 hosts -rw-r--r-- 1 root root 227 Oct 20 16:42 resolv.conf drwxr-xr-x 4 root root 60 Oct 20 16:42 secrets drwx------ 2 root root 6 Oct 20 16:42 shm /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets: total 60 drwxr-xr-x 2 root root 70 Oct 20 16:42 etc-pki-entitlement -rwxr-xr-x 1 root root 59223 Oct 20 16:42 rhel7.repo drwxr-xr-x 3 root root 50 Oct 20 16:42 rhsm /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/etc-pki-entitlement: total 24 -rwxr-xr-x 1 root root 1679 Oct 20 16:42 5528057471204017288-key.pem -rwxr-xr-x 1 root root 18060 Oct 20 16:42 5528057471204017288.pem /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm: total 8 drwxr-xr-x 2 root root 27 Oct 20 16:42 ca -rwxr-xr-x 1 root root 1492 Oct 20 16:42 logging.conf -rwxr-xr-x 1 root root 1659 Oct 20 16:42 rhsm.conf /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm/ca: total 8 -rwxr-xr-x 1 root root 7732 Oct 20 16:42 redhat-uep.pem /var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/shm: total 0 Plus a few other examples; /var/lib/docker/devicemapper/mnt: total 0 drwxr-xr-x. 2 root root 6 Oct 13 22:50 22a063830befffc56f0848622670610b378f2684f4a7a869834d2dae473184c8 drwxr-xr-x 2 root root 6 Oct 14 16:40 47ac0eaf16509c8d9e597d12827b4d9b2d60cf014f0ef6d40dcaa7ab89635620 drwxr-xr-x. 2 root root 6 Sep 30 22:52 4b84e731a8bfef8e6f892157ae0ea9ba53a4eb7b6d6b24a7bebb178e44ba878b drwxr-xr-x. 2 root root 6 Sep 30 22:52 755b27f6674c7994001d83615331e74e3d64a28c1791dff980239a6e8402b889 drwxr-xr-x. 2 root root 6 Sep 30 22:51 7a8f95796b912c1c0a7093f5df65917ab301ff082c15b1632e81ac501f561ad8 drwxr-xr-x. 2 root root 6 Oct 13 22:50 9200caf9cb7c493df30a5bc5150ecf814091f42610a0a71a8f8ce39c01f1a1f2 drwxr-xr-x 2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347 drwxr-xr-x 2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347-init drwxr-xr-x. 2 root root 6 Oct 13 22:50 ba9e0f4d72660e01a817b251b4ef4de5201d63006381ca6bf1e3bd10f4eb846b drwxr-xr-x. 2 root root 6 Sep 30 22:51 bc8007282b5cdf6f8951f4d7ebbe8f42fcd1fe236c4d0cb04fe33f21c7019f40 drwxr-xr-x 2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08 drwxr-xr-x 2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08-init drwxr-xr-x. 2 root root 6 Sep 30 22:51 d377ba36801b20e01a93040fb572fe11ae30a1fe7729b9f54aa3e50c49d86828 drwxr-xr-x. 2 root root 6 Oct 12 19:09 f650e29bd4547811b688ca6d675931ea8285909651879d04d66a53e999b28067 drwxr-xr-x. 2 root root 6 Sep 30 22:51 fe4b6f44a992dd644ce4d4030bd6de963557b1b9ccba4bf153d22be158e3098b /var/lib/docker/image/devicemapper/distribution: total 0 drwxr-xr-x. 3 root root 19 Sep 30 22:51 diffid-by-digest drwxr-xr-x. 3 root root 19 Sep 30 22:51 v2metadata-by-diffid /var/lib/docker/image/devicemapper/distribution/diffid-by-digest: total 4 drwxr-xr-x. 2 root root 4096 Oct 14 16:40 sha256 /var/lib/docker/image/devicemapper/distribution/diffid-by-digest/sha256: total 44 -rw-r--r--. 1 root root 71 Sep 30 22:52 17a933729cb7c609461f27522475645e75214537370985c546a2a72157379c8f -rw-r--r--. 1 root root 71 Oct 13 22:50 28e734cf25407abe469be9069fff804e24810727e4bd3d67813dc6a5d87d0139 -rw-r--r--. 1 root root 71 Sep 30 22:51 30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9 -rw-r--r--. 1 root root 71 Oct 13 22:50 450a9a5724ff512d1994da1a24cdc66316ed7f06c5fa7e6b271cb42e4e57f965 -rw-r--r-- 1 root root 71 Oct 14 16:40 6438277f9132bf1565b674f88706a883691aa6194004ef73c8f1a0d8be4b57ef -rw-r--r--. 1 root root 71 Oct 13 22:50 94422a9b642e87814aca4bce2ab33824bca0e49897b4ef49c90c34c047aec415 -rw-r--r--. 1 root root 71 Sep 30 22:52 9906236125e93117b6101f14add9db02aff99952346b4cfde8191f1cbd9cb291 -rw-r--r--. 1 root root 71 Sep 30 22:51 99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed -rw-r--r--. 1 root root 71 Sep 30 22:52 9e45f9acaaccc149feec79ae1193b090223e977b172e60c8e2c3283dc97770e1 -rw-r--r--. 1 root root 71 Sep 30 22:51 b0423fb7779ad5cd5e49803e60c10cc24ff6f9f93347a9fe1200cabf3acf6312 -rw-r--r--. 1 root root 71 Oct 12 19:09 b7407808f480c7dc93135b3ccd87e11e0c411a2431ef40cf72d5bb6dd691385e /var/lib/docker/image/devicemapper/layerdb: total 8 drwxr-xr-x. 4 root root 4096 Oct 20 16:43 mounts drwxr-xr-x. 13 root root 4096 Oct 14 16:40 sha256 drwxr-xr-x. 2 root root 6 Oct 14 16:40 tmp /var/lib/docker/image/devicemapper/layerdb/mounts: total 0 drwxr-xr-x 2 root root 48 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34 drwxr-xr-x 2 root root 48 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a /var/lib/docker/image/devicemapper/layerdb/mounts/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34: total 12 -rw-r--r-- 1 root root 69 Oct 20 16:42 init-id -rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id -rw-r--r-- 1 root root 71 Oct 20 16:42 parent /var/lib/docker/image/devicemapper/layerdb/mounts/5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a: total 12 -rw-r--r-- 1 root root 69 Oct 20 16:42 init-id -rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id -rw-r--r-- 1 root root 71 Oct 20 16:42 parent /var/lib/docker/image/devicemapper/layerdb/sha256/07178b0237740885b413816f67a9173eb09e90d53c1cb8dcfa375ace183ab502: total 24 -rw-r--r--. 1 root root 64 Sep 30 22:51 cache-id -rw-r--r--. 1 root root 71 Sep 30 22:51 diff -rw-r--r--. 1 root root 71 Sep 30 22:51 parent -rw-r--r--. 1 root root 8 Sep 30 22:51 size -rw-r--r--. 1 root root 5521 Sep 30 22:51 tar-split.json.gz Version-Release number of selected component (if applicable): docker / docker-latest How reproducible: 100% Steps to Reproduce: 1. start a container in docker or openshift Actual results: Many directories and files with world readable / executable permissions Expected results: Tighter permissions related to files and directories of containers from the host point. Additional info:
Antonio lets look at tightening the secrets patch from 0755 to 0700
Vivek any reason you know that we could not tighten the image directories to 700? or 750? The files like resolv.conf have to be 644.
The secret patch now creates files and directory with 700. Fixed in docker-1.13, I've also created PRs for docker-1.12 and docker-1.12.2.
Fixed in the current release.