RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2138434 - podman: ubi8 sticky bit removed from /tmp
Summary: podman: ubi8 sticky bit removed from /tmp
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: podman
Version: 8.6
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: rc
: 8.8
Assignee: Jindrich Novy
QA Contact: Joy Pu
URL:
Whiteboard:
: 2138431 (view as bug list)
Depends On: 2141452 2152001
Blocks: 2152023 2152027
TreeView+ depends on / blocked
 
Reported: 2022-10-28 19:37 UTC by rseip
Modified: 2023-05-16 09:12 UTC (History)
18 users (show)

Fixed In Version: podman-4.4.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2141452 2152023 2152027 (view as bug list)
Environment:
Last Closed: 2023-05-16 08:22:22 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github containers buildah pull 4411 0 None Merged copier.Put(): clear up os/syscall mode bit confusion 2022-11-10 15:55:20 UTC
Github containers podman pull 16578 0 None Merged Update vendor of containers/(buildah, common, storage, image) 2022-12-09 17:45:06 UTC
Red Hat Bugzilla 2138431 0 unspecified CLOSED ubi8-minimal sticky bit removed from /tmp 2022-11-09 19:01:44 UTC
Red Hat Issue Tracker RHELPLAN-137805 0 None None None 2022-10-28 19:40:07 UTC
Red Hat Product Errata RHSA-2023:2758 0 None None None 2023-05-16 08:23:42 UTC

Internal Links: 2138431

Description rseip 2022-10-28 19:37:16 UTC
Description of problem:

The sticky bit has been removed from /tmp directory in ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983. It was present in previous image ubi8/ubi:8.6-943.1665521450.

Version-Release number of selected component (if applicable):

ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983

How reproducible: see Steps to Reproduce below.

Steps to Reproduce:
1. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-990 ls -ld /tmp
2. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-983 ls -ld /tmp
3. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450 ls -ld /tmp

Actual results:

For ubi8/ubi:8.6-983:

drwxrwxrwx. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwx. 2 root root 58 Oct 26 11:23 /tmp

Expected results:

For ubi8/ubi:8.6-983:

drwxrwxrwt. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwt. 2 root root 58 Oct 26 11:23 /tmp

Additional info:

No longer compliant with https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-stig.html#xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits

Comment 1 Jason Frey 2022-11-08 16:28:23 UTC
One side effect of this is that in Ruby, `Dir.tmpdir` refuses to use /tmp dir resulting in an exception: "ArgumentError (could not find a temporary directory)".  See also https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3933.


Another view using `stat`

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450

[root@6dc45f004085 /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-983

[root@68270b51c126 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)

Comment 2 Jason Frey 2022-11-08 17:23:37 UTC
ubi9 is also affected as of ubi9/ubi:9.0.0-1640.1666621574.


$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi9/ubi:9.0.0-1640.1665068441

[root@35e71c989f5a /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:9.0.0-1640.1666621574

[root@d4a641cdda41 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)


Additionally, the minimal variants also are affected.

One interesting note here is that this also aligns in what appears to be a reduction from 2 layers to 1 layer which can be seen during a docker pull.

Comment 4 Derrick Ornelas 2022-11-09 18:55:13 UTC
This appears to be a podman issue. The new image build system now uses podman, and during the build the sticky bit is removed for a yet unknown reason.

Comment 5 Derrick Ornelas 2022-11-09 18:57:32 UTC
*** Bug 2138431 has been marked as a duplicate of this bug. ***

Comment 18 Joy Pu 2023-02-13 08:09:31 UTC
Test with podman-4.4.0-1.module+el8.8.0+18060+3f21f2cc.x86_64 and the t show up in the ls output. So move it to verified. More details:
# podman build -t test .
STEP 1/23: FROM scratch
STEP 2/23: ADD rhel-base-fs-container-8.6-2480.x86_64.tar.gz /
--> 3390829f087
STEP 3/23: ADD tls-ca-bundle.pem /tmp/tls-ca-bundle.pem
--> 54bc11249fa
STEP 4/23: ADD atomic-reactor-repos/* /etc/yum.repos.d/
--> de3ccb65342
STEP 5/23: LABEL maintainer="Red Hat, Inc."
--> a7e84022ea3
STEP 6/23: LABEL com.redhat.component="ubi8-container"       name="ubi8"       version="8.6"
--> 9ce5f131243
STEP 7/23: LABEL com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI"
--> b51b159625f
STEP 8/23: LABEL summary="Provides the latest release of Red Hat Universal Base Image 8."
--> ae5b22e0bb0
STEP 9/23: LABEL description="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly."
--> 5b5b466fc71
STEP 10/23: LABEL io.k8s.display-name="Red Hat Universal Base Image 8"
--> d699ee1a20f
STEP 11/23: LABEL io.openshift.expose-services=""
--> c8cb65ef7e5
STEP 12/23: LABEL io.openshift.tags="base rhel8"
--> 0a2e37159a1
STEP 13/23: ENV container oci
--> 829cc16e751
STEP 14/23: ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
--> 51b4447a80c
STEP 15/23: CMD ["/bin/bash"]
--> c9e8796d317
STEP 16/23: RUN rm -rf /var/log/*
--> cc04997188e
STEP 17/23: RUN mkdir -p /var/log/rhsm
--> 969a103b568
STEP 18/23: LABEL release=1054
--> 1380a84f29c
STEP 19/23: ADD ubi8-container-8.6-1054.json /root/buildinfo/content_manifests/ubi8-container-8.6-1054.json
--> 0d18e0302fe
STEP 20/23: ADD Dockerfile-ubi8-8.6-1054 /root/buildinfo/Dockerfile-ubi8-8.6-1054
--> 954877a1ca1
STEP 21/23: LABEL "distribution-scope"="public" "vendor"="Red Hat, Inc." "build-date"="2022-12-19T02:04:53" "architecture"="x86_64" "vcs-type"="git" "vcs-ref"="f1ee6e37554363ec55e0035aba1a693d3627fdeb" "io.k8s.description"="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly." "url"="https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.6-1054"
--> 593637f9054
STEP 22/23: RUN rm -f '/etc/yum.repos.d/beaker-AppStream.repo'
--> 97506e50914
STEP 23/23: RUN rm -f /tmp/tls-ca-bundle.pem
COMMIT test
--> 156b48d357b
Successfully tagged localhost/test:latest
156b48d357b955b7963905fdc541ffb8e410ab73e5d19008108bb7d0f986cfbb
# podman run test ls -ld /tmp
drwxrwxrwt. 1 root root 31 Feb 13 07:57 /tmp

Comment 20 errata-xmlrpc 2023-05-16 08:22:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2758


Note You need to log in before you can comment on or make changes to this bug.