Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1388156

Summary: Evaluate and tighten directory and file permissions under /var/lib/docker
Product: Red Hat Enterprise Linux 7 Reporter: Matthew Robson <mrobson>
Component: dockerAssignee: Antonio Murdaca <amurdaca>
Status: CLOSED CURRENTRELEASE QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: amurdaca, dwalsh, lsm5, vgoyal
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-30 15:17:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Robson 2016-10-24 15:33:59 UTC 
Description of problem:

Certain files within a container under /var/lib/docker have world read / world execute privileges.  I can see specifically in the docker source these files / directories are being created with these permissions.

Files in a container generally have at least 0644

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34

Secrets directory / files are 0755

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets

Devicemapper mnt is 0755

/var/lib/docker/devicemapper/mnt

Varying files / directories under image are 0755 and 0644

/var/lib/docker/image/devicemapper/distribution

Examples;

/var/lib/docker/containers:
total 4
drwx------ 4 root root 4096 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34
drwx------ 3 root root  143 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34:
total 24
-rw-r----- 1 root root    0 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34-json.log
-rw-r--r-- 1 root root 5522 Oct 20 16:42 config.v2.json
-rw-r--r-- 1 root root  957 Oct 20 16:42 hostconfig.json
-rw-r--r-- 1 root root   37 Oct 20 16:42 hostname
-rw-r--r-- 1 root root 1189 Oct 20 16:42 hosts
-rw-r--r-- 1 root root  227 Oct 20 16:42 resolv.conf
drwxr-xr-x 4 root root   60 Oct 20 16:42 secrets
drwx------ 2 root root    6 Oct 20 16:42 shm

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets:
total 60
drwxr-xr-x 2 root root    70 Oct 20 16:42 etc-pki-entitlement
-rwxr-xr-x 1 root root 59223 Oct 20 16:42 rhel7.repo
drwxr-xr-x 3 root root    50 Oct 20 16:42 rhsm

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/etc-pki-entitlement:
total 24
-rwxr-xr-x 1 root root  1679 Oct 20 16:42 5528057471204017288-key.pem
-rwxr-xr-x 1 root root 18060 Oct 20 16:42 5528057471204017288.pem

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm:
total 8
drwxr-xr-x 2 root root   27 Oct 20 16:42 ca
-rwxr-xr-x 1 root root 1492 Oct 20 16:42 logging.conf
-rwxr-xr-x 1 root root 1659 Oct 20 16:42 rhsm.conf

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/secrets/rhsm/ca:
total 8
-rwxr-xr-x 1 root root 7732 Oct 20 16:42 redhat-uep.pem

/var/lib/docker/containers/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34/shm:
total 0

Plus a few other examples;

/var/lib/docker/devicemapper/mnt:
total 0
drwxr-xr-x. 2 root root 6 Oct 13 22:50 22a063830befffc56f0848622670610b378f2684f4a7a869834d2dae473184c8
drwxr-xr-x  2 root root 6 Oct 14 16:40 47ac0eaf16509c8d9e597d12827b4d9b2d60cf014f0ef6d40dcaa7ab89635620
drwxr-xr-x. 2 root root 6 Sep 30 22:52 4b84e731a8bfef8e6f892157ae0ea9ba53a4eb7b6d6b24a7bebb178e44ba878b
drwxr-xr-x. 2 root root 6 Sep 30 22:52 755b27f6674c7994001d83615331e74e3d64a28c1791dff980239a6e8402b889
drwxr-xr-x. 2 root root 6 Sep 30 22:51 7a8f95796b912c1c0a7093f5df65917ab301ff082c15b1632e81ac501f561ad8
drwxr-xr-x. 2 root root 6 Oct 13 22:50 9200caf9cb7c493df30a5bc5150ecf814091f42610a0a71a8f8ce39c01f1a1f2
drwxr-xr-x  2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347
drwxr-xr-x  2 root root 6 Oct 20 16:42 ab657c009327af7a3b6d24192d59c7719154bc6e08e3b11f3a17cb25ef4ba347-init
drwxr-xr-x. 2 root root 6 Oct 13 22:50 ba9e0f4d72660e01a817b251b4ef4de5201d63006381ca6bf1e3bd10f4eb846b
drwxr-xr-x. 2 root root 6 Sep 30 22:51 bc8007282b5cdf6f8951f4d7ebbe8f42fcd1fe236c4d0cb04fe33f21c7019f40
drwxr-xr-x  2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08
drwxr-xr-x  2 root root 6 Oct 20 16:42 c93c182a3e897726dcd1833ff0e0d9a3c771037550c59aef65c86465b224fc08-init
drwxr-xr-x. 2 root root 6 Sep 30 22:51 d377ba36801b20e01a93040fb572fe11ae30a1fe7729b9f54aa3e50c49d86828
drwxr-xr-x. 2 root root 6 Oct 12 19:09 f650e29bd4547811b688ca6d675931ea8285909651879d04d66a53e999b28067
drwxr-xr-x. 2 root root 6 Sep 30 22:51 fe4b6f44a992dd644ce4d4030bd6de963557b1b9ccba4bf153d22be158e3098b

/var/lib/docker/image/devicemapper/distribution:
total 0
drwxr-xr-x. 3 root root 19 Sep 30 22:51 diffid-by-digest
drwxr-xr-x. 3 root root 19 Sep 30 22:51 v2metadata-by-diffid

/var/lib/docker/image/devicemapper/distribution/diffid-by-digest:
total 4
drwxr-xr-x. 2 root root 4096 Oct 14 16:40 sha256

/var/lib/docker/image/devicemapper/distribution/diffid-by-digest/sha256:
total 44
-rw-r--r--. 1 root root 71 Sep 30 22:52 17a933729cb7c609461f27522475645e75214537370985c546a2a72157379c8f
-rw-r--r--. 1 root root 71 Oct 13 22:50 28e734cf25407abe469be9069fff804e24810727e4bd3d67813dc6a5d87d0139
-rw-r--r--. 1 root root 71 Sep 30 22:51 30cf2e26a24f2a8426cbe8444f8af2ecb7023bd468b05c1b6fd0b2797b0f9ff9
-rw-r--r--. 1 root root 71 Oct 13 22:50 450a9a5724ff512d1994da1a24cdc66316ed7f06c5fa7e6b271cb42e4e57f965
-rw-r--r--  1 root root 71 Oct 14 16:40 6438277f9132bf1565b674f88706a883691aa6194004ef73c8f1a0d8be4b57ef
-rw-r--r--. 1 root root 71 Oct 13 22:50 94422a9b642e87814aca4bce2ab33824bca0e49897b4ef49c90c34c047aec415
-rw-r--r--. 1 root root 71 Sep 30 22:52 9906236125e93117b6101f14add9db02aff99952346b4cfde8191f1cbd9cb291
-rw-r--r--. 1 root root 71 Sep 30 22:51 99dd41655d8a45c2fb74f9eeb73e327b3ad4796f0ff0d602c575e32e9804baed
-rw-r--r--. 1 root root 71 Sep 30 22:52 9e45f9acaaccc149feec79ae1193b090223e977b172e60c8e2c3283dc97770e1
-rw-r--r--. 1 root root 71 Sep 30 22:51 b0423fb7779ad5cd5e49803e60c10cc24ff6f9f93347a9fe1200cabf3acf6312
-rw-r--r--. 1 root root 71 Oct 12 19:09 b7407808f480c7dc93135b3ccd87e11e0c411a2431ef40cf72d5bb6dd691385e

/var/lib/docker/image/devicemapper/layerdb:
total 8
drwxr-xr-x.  4 root root 4096 Oct 20 16:43 mounts
drwxr-xr-x. 13 root root 4096 Oct 14 16:40 sha256
drwxr-xr-x.  2 root root    6 Oct 14 16:40 tmp

/var/lib/docker/image/devicemapper/layerdb/mounts:
total 0
drwxr-xr-x 2 root root 48 Oct 20 16:42 41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34
drwxr-xr-x 2 root root 48 Oct 20 16:42 5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a

/var/lib/docker/image/devicemapper/layerdb/mounts/41be5ac2fa330a7dbb550d401269fc7071434222385b484b2b56faefd214bb34:
total 12
-rw-r--r-- 1 root root 69 Oct 20 16:42 init-id
-rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id
-rw-r--r-- 1 root root 71 Oct 20 16:42 parent

/var/lib/docker/image/devicemapper/layerdb/mounts/5d5b7b2605ae5617fc585fba09ba5e5a38ab347ef8186a57eb104b3275ba9a6a:
total 12
-rw-r--r-- 1 root root 69 Oct 20 16:42 init-id
-rw-r--r-- 1 root root 64 Oct 20 16:42 mount-id
-rw-r--r-- 1 root root 71 Oct 20 16:42 parent

/var/lib/docker/image/devicemapper/layerdb/sha256/07178b0237740885b413816f67a9173eb09e90d53c1cb8dcfa375ace183ab502:
total 24
-rw-r--r--. 1 root root   64 Sep 30 22:51 cache-id
-rw-r--r--. 1 root root   71 Sep 30 22:51 diff
-rw-r--r--. 1 root root   71 Sep 30 22:51 parent
-rw-r--r--. 1 root root    8 Sep 30 22:51 size
-rw-r--r--. 1 root root 5521 Sep 30 22:51 tar-split.json.gz


Version-Release number of selected component (if applicable):
docker / docker-latest

How reproducible:
100%

Steps to Reproduce:
1. start a container in docker or openshift

Actual results:
Many directories and files with world readable / executable permissions

Expected results:
Tighter permissions related to files and directories of containers from the host point.


Additional info:
Comment 3 Daniel Walsh 2016-10-24 18:03:53 UTC 
Antonio lets look at tightening the secrets patch from 0755 to 0700
Comment 4 Daniel Walsh 2016-10-24 18:05:22 UTC 
Vivek any reason you know that we could not tighten the image directories to 700?  or 750?

The files like resolv.conf have to be 644.
Comment 5 Antonio Murdaca 2016-10-25 13:55:08 UTC 
The secret patch now creates files and directory with 700. Fixed in docker-1.13, I've also created PRs for docker-1.12 and docker-1.12.2.
Comment 6 Daniel Walsh 2017-06-30 15:17:06 UTC 
Fixed in the current release.