search

redis / docker-library-redis

Docker Official Image packaging for Redis
http://redis.io
BSD 3-Clause "New" or "Revised" License
1.11k stars 560 forks source link

Docker container redis:alpine contains files with unsafe permissions #404

Open zem opened 1 week ago

zem commented 1 week ago

The Docker Image docker.io/library/redis:alpine is containing files with unsafe permissions, in this case ./usr/local/bin/docker-entrypoint.sh is chmod 777 files whith chmod 777 should be found nowhere on a unix system for security reasons, not even in containers as it can be used as backdoor to escalate privileges!

Here you can see the output of my container creation framework (podman-tools), which contains a container linter to avoid running potential insecure containers:

podman container create  --volume mastodon_redis:/data --restart always --name mastodon_redis --pod mastodon  docker.io/library/redis:alpine 
b401a0b13ade88729e3f66a68caf603f484f11e5664563e7d05517b1cd09507e
WARNING! FOUND FILES WITH UNSAFE PERMISSIONS IN CONTAINER!
path relative to container root
-rwxrwxrwx. 1 root root 661 Jun 20 20:55 ./usr/local/bin/docker-entrypoint.sh
WARNING! FOUND FILES WITH UNSAFE PERMISSIONS IN CONTAINER!
container mastodon_redis lint failed
tianon commented 1 week ago

This is another case of https://github.com/moby/buildkit/issues/5066 :disappointed: