Bug 1466242
| Summary: | Unable to change permissions of hostconfig.json and config.v2.json | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Suhaas Bhat <subhat> |
| Component: | docker | Assignee: | Antonio Murdaca <amurdaca> |
| Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | amurdaca, dwalsh, lsm5, lsu |
| Target Milestone: | rc | Keywords: | Extras |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | docker-2:1.12.6-50.git0fdc778 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-09-05 10:35:14 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Suhaas Bhat
2017-06-29 10:32:28 UTC
I don't see any files with this permissions running docker-1.13? This is not a big security problme since not privileged users can get access to these files, but I have no idea why this is happening. Yes, Docker-latest package allows to change those files permissions. docker-latest seems to have the same "issue" - not sure what's happening in docker since the only things docker does with that file is opening it, reading it and writing it. I can't see any code path setting/changing perms on it. Just curious, what's the use case of changing perms of this file? I wouldn't say this is a bug... alright, I found what changed - this happens when writing the hostconfig file. But I still want to hear why should we support this use case. The change between 1.12 and 1.13 is this:
1 tree 0b61f8fbfe6e4d6402e140c31b4c34ad99df3eb1
2 parent bf16fa47b7fcf5133818cd12bab1c2f60ba8d363
3 author epeterso <epeterson> Tue Nov 1 16:00:17 2016 -0400
4 committer epeterso <epeterson> Tue Nov 1 16:18:15 2016 -0400
5
6 remove world/group writable perms
7
8 change files from being written with group and world writable permissions.
9
10 Signed-off-by: epeterso <epeterson>
11
12 diff --git a/container/container.go b/container/container.go
13 index dc08cebba..722271be9 100644
14 --- a/container/container.go
15 +++ b/container/container.go
16 @@ -147,7 +147,7 @@ func (container *Container) ToDisk() error {
17 return err
18 }
19
20 - jsonSource, err := ioutils.NewAtomicFileWriter(pth, 0666)
21 + jsonSource, err := ioutils.NewAtomicFileWriter(pth, 0644)
22 if err != nil {
23 return err
24 }
25 @@ -207,7 +207,7 @@ func (container *Container) WriteHostConfig() error {
26 return err
27 }
28
29 - f, err := ioutils.NewAtomicFileWriter(pth, 0666)
30 + f, err := ioutils.NewAtomicFileWriter(pth, 0644)
31 if err != nil {
32 return err
33 }
That looks correct. We should back port this. Antonio, people have tools that search the file system for world writable content and then mark the systems as unsafe. Even though a non privilege user can't get to the file. Fixing this issue, will make people scanning systems happier. alright, I've backported the patch to 1.12.6 Verified in docker-1.12.6-55.gitc4618fb.el7.x86_64 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2599 |