# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
chmod 777 /var/run/mysqld; \
This works fine, but when the host operating system is scanned by the CIS (https://www.cisecurity.org/) benchmark for the operating system (e.g. CentOS 7, although applies to other operating systems), the CIS benchmark fails on the check "Ensure sticky bit is set on all world-writable directories".
The rational for this requirement is:
"This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user."
This could be fixed by changing the above line in the Dockerfiles to the following (i.e. 1777 instead of 777), to set the sticky bit on the directory. This would ensure compliance with CIS and remove the security concern.
# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
chmod 1777 /var/run/mysqld; \
Would it be possible to make this change? Many thanks
There is a line in the Dockerfiles which sets the directory permissions of
/var/run/mysqld
to777
- e.g. https://github.com/MariaDB/mariadb-docker/blob/master/10.6/Dockerfile#L123 and similar for other versions.This works fine, but when the host operating system is scanned by the CIS (https://www.cisecurity.org/) benchmark for the operating system (e.g. CentOS 7, although applies to other operating systems), the CIS benchmark fails on the check "Ensure sticky bit is set on all world-writable directories".
The rational for this requirement is: "This feature prevents the ability to delete or rename files in world writable directories (such as /tmp ) that are owned by another user."
This could be fixed by changing the above line in the Dockerfiles to the following (i.e. 1777 instead of 777), to set the sticky bit on the directory. This would ensure compliance with CIS and remove the security concern.
Would it be possible to make this change? Many thanks