Bug 1466242 - Unable to change permissions of hostconfig.json and config.v2.json
Unable to change permissions of hostconfig.json and config.v2.json
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: docker (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Antonio Murdaca
: Extras
Depends On:
  Show dependency treegraph
Reported: 2017-06-29 06:32 EDT by Suhaas Bhat
Modified: 2017-09-05 06:35 EDT (History)
4 users (show)

See Also:
Fixed In Version: docker-2:1.12.6-50.git0fdc778
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-09-05 06:35:14 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Suhaas Bhat 2017-06-29 06:32:28 EDT
Description of problem:
We are unable to change the permissions of these two json files inside /var/lib/docker/containers/<container ID>/ whenever any container is created.
If we change the permissions once, they get automatically changed if we start/stop the container or restart the docker service.

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux Server release 7.3 (Maipo)

How reproducible:

Steps to Reproduce:
1.chmod 755 /var/lib/docker/containers/<container-id>/config.v2.json
2.docker start/stop <container-id>
3.Permission changed to -rw-rw-rw- (not changeable)

Actual results:
Permissions do not change and get back to original ones i.e 666 (world writeable)

Expected results:
Should have changed to 755

Additional info:
Comment 2 Daniel Walsh 2017-06-29 08:35:05 EDT
I don't see any files with this permissions running docker-1.13?
Comment 3 Daniel Walsh 2017-06-29 08:37:02 EDT
This is not a big security problme since not privileged users can get access to these files, but I have no idea why this is happening.
Comment 4 Suhaas Bhat 2017-06-29 08:54:39 EDT
Yes, Docker-latest package allows to change those files permissions.
Comment 5 Antonio Murdaca 2017-06-29 09:39:28 EDT
docker-latest seems to have the same "issue" - not sure what's happening in docker since the only things docker does with that file is opening it, reading it and writing it. I can't see any code path setting/changing perms on it.

Just curious, what's the use case of changing perms of this file? I wouldn't say this is a bug...
Comment 6 Antonio Murdaca 2017-06-29 09:40:55 EDT
alright, I found what changed - this happens when writing the hostconfig file. But I still want to hear why should we support this use case.
Comment 7 Antonio Murdaca 2017-06-29 09:42:06 EDT
The change between 1.12 and 1.13 is this:

  1 tree 0b61f8fbfe6e4d6402e140c31b4c34ad99df3eb1
  2 parent bf16fa47b7fcf5133818cd12bab1c2f60ba8d363
  3 author epeterso <epeterson@breakpoint-labs.com> Tue Nov 1 16:00:17 2016 -0400
  4 committer epeterso <epeterson@breakpoint-labs.com> Tue Nov 1 16:18:15 2016 -0400
  6 remove world/group writable perms
  8 change files from being written with group and world writable permissions.
 10 Signed-off-by: epeterso <epeterson@breakpoint-labs.com>
 12 diff --git a/container/container.go b/container/container.go
 13 index dc08cebba..722271be9 100644
 14 --- a/container/container.go
 15 +++ b/container/container.go
 16 @@ -147,7 +147,7 @@ func (container *Container) ToDisk() error {
 17                 return err
 18         }
 20 -       jsonSource, err := ioutils.NewAtomicFileWriter(pth, 0666)
 21 +       jsonSource, err := ioutils.NewAtomicFileWriter(pth, 0644)
 22         if err != nil {
 23                 return err
 24         }
 25 @@ -207,7 +207,7 @@ func (container *Container) WriteHostConfig() error {
 26                 return err
 27         }
 29 -       f, err := ioutils.NewAtomicFileWriter(pth, 0666)
 30 +       f, err := ioutils.NewAtomicFileWriter(pth, 0644)
 31         if err != nil {
 32                 return err
 33         }
Comment 8 Daniel Walsh 2017-06-29 09:50:11 EDT
That looks correct.  We should back port this.
Comment 9 Daniel Walsh 2017-06-30 09:59:44 EDT
Antonio, people have tools that search the file system for world writable content and then mark the systems as unsafe.  Even though a non privilege user can't get to the file.  Fixing this issue, will make people scanning systems happier.
Comment 10 Antonio Murdaca 2017-06-30 10:33:22 EDT
alright, I've backported the patch to 1.12.6
Comment 12 Luwen Su 2017-08-25 04:11:41 EDT
Verified in docker-1.12.6-55.gitc4618fb.el7.x86_64
Comment 14 errata-xmlrpc 2017-09-05 06:35:14 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.