search

MariaDB / mariadb-docker

Docker Official Image packaging for MariaDB
https://mariadb.org
GNU General Public License v2.0
755 stars 436 forks source link

CIS failure due to world-writable directory /var/run/mysqld #532

Closed ollie1 closed 9 months ago

ollie1 commented 9 months ago

There is a line in the Dockerfiles which sets the directory permissions of /var/run/mysqld to 777 - e.g. https://github.com/MariaDB/mariadb-docker/blob/master/10.6/Dockerfile#L123 and similar for other versions.

# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
    chmod 777 /var/run/mysqld; \

This works fine, but when the host operating system is scanned by the CIS (https://www.cisecurity.org/) benchmark for the operating system (e.g. CentOS 7, although applies to other operating systems), the CIS benchmark fails on the check "Ensure sticky bit is set on all world-writable directories".

The rational for this requirement is: "This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user."

This could be fixed by changing the above line in the Dockerfiles to the following (i.e. 1777 instead of 777), to set the sticky bit on the directory. This would ensure compliance with CIS and remove the security concern.

# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
    chmod 1777 /var/run/mysqld; \

Would it be possible to make this change? Many thanks

grooverdan commented 9 months ago

Well spotted @ollie1. Thanks for the bug report. Per above commit, a fix will be in the next release.