Bug 1958406 - Twistlock flags mode of /var/run/crio/crio.sock
Summary: Twistlock flags mode of /var/run/crio/crio.sock
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Node
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.8.0
Assignee: Peter Hunt
QA Contact: Sunil Choudhary
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-07 20:31 UTC by David Kaylor
Modified: 2022-04-06 05:58 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 23:07:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github cri-o cri-o pull 4886 0 None open reduce listen socket permissions to 0600 2021-05-10 20:15:03 UTC
Github cri-o cri-o pull 4930 0 None open [release-1.21] reduce listen socket permissions to 0660 2021-05-20 17:15:56 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 23:07:42 UTC

Description David Kaylor 2021-05-07 20:31:57 UTC 
OCP Version at Install Time: 4.7
RHCOS Version at Install Time: 4.7
Platform: AWS, bare metal
Architecture: x86_64

What are you trying to do? What is your use case?
This may not be a bug. If not, an explanation that can be taken back to Twistlock would be appreciated.

What happened? What went wrong or what did you expect?
A Twistlock scan shows the mode of the file is 755, but the file perms should not exceed 660 according to them.

What are the steps to reproduce your issue? Please try to reduce these steps to something that can be reproduced with a single RHCOS node.
The current mode can be confirmed with "ls -l /var/run/crio/crio.sock"
Comment 2 Peter Hunt 2021-05-10 20:15:03 UTC 
I can't think of a historical reason, it's just what golang does (see https://github.com/golang/go/issues/11822)

let's see what happens if we change it
Comment 3 Peter Hunt 2021-05-20 17:16:01 UTC 
4.8 fix attached
Comment 4 Peter Hunt 2021-05-21 12:53:44 UTC 
PR merged
Comment 9 errata-xmlrpc 2021-07-27 23:07:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438
Note You need to log in before you can comment on or make changes to this bug.