SGID on the /layers directory.

[sfzylad]

The images created with the kpack all have the SGID set on the /layers directory:

drwxrwsrwx 1 root cnb 4096 Jan 1 1980 /layers/

However there's no need to do that because executables inside of the image are running as the cnb user anyway:

cnb          1  0.3  0.5 1335836 44612 ?       Ssl  Aug17   9:45 /layers/tanzu-buildpacks_go-build/targets/bin/bob --health-probe-bind-address=:8081 --metrics-bind-address=127.0.0.1:8080 --leader-elect

Is there any specific reason for the SGID? If not can it be dropped?

[tylerphelan]

The current issue is that k8s will set the SGID on volumes when the fsGroup field is set on a container - which is set at the pod securityContext level in build pods. The lifecycle will not modify the permissions and will publish the SGID bit to the registry.

Possible mitigations include updating the cnb lifecycle to remove this permission.

[tylerphelan]

posed the question in lifecycle: https://github.com/buildpacks/lifecycle/issues/934