Why is sarus requiring root permissions for things that are outside of sarus?

eth-cscs / sarus

OCI-compatible engine to deploy Linux containers on HPC environments.

https://sarus.readthedocs.io/en/stable/

BSD 3-Clause "New" or "Revised" License

127 stars 10 forks source link

Why is sarus requiring root permissions for things that are outside of sarus? #33

Open haampie opened 1 year ago

haampie commented 1 year ago

#0   checkThatPathIsRootOwned at "SecurityChecks.cpp":78 Path "/home/harmen/spack/opt/spack/linux-ubuntu22.10-zen2/gcc-12.2.0/squashfs-4.5.1-kyy4hxwwoqqwhrws35zhcgcqcmn56yah/bin/mksquashfs" must be owned by root in order to prevent other users from tampering its contents. Found uid=1000, gid=1000.

Why?

Madeeks commented 1 year ago

Hi @haampie, the intention of the feature, as part of the security checks, is to reduce the possibility of exploits through 3rd party binaries, which in several cases are executed with root privileges by Sarus.

Notice that the specific constraint you are referring to (root ownership of mksquashfs) was relaxed in version 1.5.2, since mksquashfs is only used by unprivileged commands.