search

paketo-buildpacks / jammy-tiny-stack

Tiny (minimal) stack for Ubuntu 2022.04: Jammy Jellyfish
Apache License 2.0
5 stars 10 forks source link

/home/cnb in image is world-writable #130

Closed candrews closed 1 year ago

candrews commented 1 year ago

I'm using Spring Boot's cloud native buildpack functionality to create a docker image. I'm using the latest versions of the buildpacks to ensure this issue hasn't already been resolved:

builder = "docker.io/paketobuildpacks/builder-jammy-tiny:0.0.168@sha256:1017bc155d7e4448442437d60500a04291865c2a483de79a49dd15846295c044"
runImage = "docker.io/paketobuildpacks/run-jammy-tiny:0.1.70@sha256:326a11516dec559bd89e898986d0b90154621f4a6b0a2d82fdbf4232f74a5d71"
buildpacks = listOf(
    "gcr.io/paketo-buildpacks/ca-certificates:3.6.3@sha256:c62529329b8275c1d5b8665fdcee5cd8a92a669133c6b554209f96e8d9c5b632",
    "gcr.io/paketo-buildpacks/bellsoft-liberica:10.2.6@sha256:7afc798fc9f2f3042c63029e5822068b3b2c4872329e0847aa51038a092fb9a9",
    "gcr.io/paketo-buildpacks/syft:1.32.1@sha256:8c662a749f29523731780a370cf9e1840784ce7ea9675bc2c40b0a6f6ef4c372",
    "gcr.io/paketo-buildpacks/executable-jar:6.7.4@sha256:1b2a80a6f51309785d064172e7032c6543909d5c2c827fd2686b6818f252a25f",
    "gcr.io/paketo-buildpacks/dist-zip:5.6.4@sha256:080303642fa278a8e9b617fb134d7cb9c7959661b03f67913cd5c0d95d6e8534",
    "gcr.io/paketo-buildpacks/spring-boot:5.26.1@sha256:a302dd4444bf204c0ad350384a93221993572e0643c2bb361eb56bac2ef86b6b",
)

In the resulting image, the /home/cnb directory is world writable, which causes security scanners to raise concerns, as world writable files/directories are a risk.

Can the /home/cnb directory please have its world-writable permission removed?

Expected Behavior

/home/cnb should not be world-writable.

Current Behavior

/home/cnb is world writable.

Possible Solution

Make /home/cnb not world-writable (even better, make it not world readable or executable either).

Steps to Reproduce

Here's my reference project: https://github.com/candrews/jumpstart

You can pull it's docker image like so: docker pull ghcr.io/candrews/jumpstart:latest

I'm using podman to check the file permissions: ls -la "$(podman mount "$(podman container create ghcr.io/candrews/jumpstart:latest)")"/home/cnb

Actual:

# ls -la "$(podman mount "$(podman container create ghcr.io/candrews/jumpstart:latest)")"/home/cnb
total 0
drwxrwxrwx. 1 1002 candrews 0 Dec 31  1969 .
drwxr-xr-x. 1 root root     6 Jul 27 14:22 ..

Expected:

total 0
drwxrwx--x. 1 1002 candrews 0 Dec 31  1969 .
drwxr-xr-x. 1 root root     6 Jul 27 14:22 ..

Motivations

robdimsdale commented 1 year ago

Hey @candrews - I agree this looks a little odd. If we can reduce the permissions we probably should.

The actual code that creates the /home/cnb directory is in the tooljam, here.

The main question i'd have before making this change is whether it's required as part of the buildpacks spec. I can't see anything in the spec, and I've asked in the CNB slack.

Assuming there's no objections or concerns, we can make the change in the jam tool and the next stacks that are built after the tool is released with the new feature will have reduced permissions.

candrews commented 1 year ago

Thank you for pointing me to jam, @robdimsdale! Please let me know when you have heard back.

candrews commented 1 year ago

The actual code that creates the /home/cnb directory is in the tooljam, here.

I submitted a PR: https://github.com/paketo-buildpacks/jam/pull/286

candrews commented 1 year ago

This issue is fixed in all builds after roughly August 2.

Thank you!