audit container script file ownership

jboss-container-images / openjdk

Source To Image (S2I) image for Red Hat OpenShift providing OpenJDK

Apache License 2.0

53 stars 58 forks source link

audit container script file ownership #413

Open jmtd opened 8 months ago

jmtd commented 8 months ago

We have a pattern of doing stuff like

chown -R $USER:root $SCRIPT_DIR
chmod -R ug+rwX $SCRIPT_DIR
chmod ug+x ${ARTIFACTS_DIR}/opt/jboss/container/(something)

Consequently, many of the container executable scripts are owned by and writable by the running user, but that is not actually necessary for operation: furthermore, it isn't desirable because it increases an attack surface area.

jmtd commented 4 months ago

All of /opt/jboss/container is owned by the running user and probably shouldn't be

jmtd commented 4 months ago

https://issues.redhat.com/browse/OPENJDK-2814