Closed candrews closed 1 year ago
Hey @candrews - I agree this looks a little odd. If we can reduce the permissions we probably should.
The actual code that creates the /home/cnb
directory is in the tooljam
, here.
The main question i'd have before making this change is whether it's required as part of the buildpacks spec. I can't see anything in the spec, and I've asked in the CNB slack.
Assuming there's no objections or concerns, we can make the change in the jam
tool and the next stacks that are built after the tool is released with the new feature will have reduced permissions.
Thank you for pointing me to jam
, @robdimsdale! Please let me know when you have heard back.
The actual code that creates the
/home/cnb
directory is in the tooljam
, here.
I submitted a PR: https://github.com/paketo-buildpacks/jam/pull/286
This issue is fixed in all builds after roughly August 2.
Thank you!
I'm using Spring Boot's cloud native buildpack functionality to create a docker image. I'm using the latest versions of the buildpacks to ensure this issue hasn't already been resolved:
In the resulting image, the
/home/cnb
directory is world writable, which causes security scanners to raise concerns, as world writable files/directories are a risk.Can the
/home/cnb
directory please have its world-writable permission removed?Expected Behavior
/home/cnb
should not be world-writable.Current Behavior
/home/cnb
is world writable.Possible Solution
Make
/home/cnb
not world-writable (even better, make it not world readable or executable either).Steps to Reproduce
Here's my reference project: https://github.com/candrews/jumpstart
You can pull it's docker image like so:
docker pull ghcr.io/candrews/jumpstart:latest
I'm using podman to check the file permissions:
ls -la "$(podman mount "$(podman container create ghcr.io/candrews/jumpstart:latest)")"/home/cnb
Actual:
Expected:
Motivations