Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[debatable] Make rootfs 700? #181

Closed
hallyn opened this issue Oct 2, 2017 · 2 comments
Closed

[debatable] Make rootfs 700? #181

hallyn opened this issue Oct 2, 2017 · 2 comments

Comments

@hallyn
Copy link
Contributor

hallyn commented Oct 2, 2017

This could fall under "don't shoot yourself in the foot", but if I

umoci unpack  --image oci:alpine alpine

then alpine/rootfs is world descendable. This means if there are any setuid-root exploitable binaries in the roots, an unprivileged user may be able to get to them.

Like I say, I understand if you choose to ignore it, but I thought I should point it out.
@cyphar
Copy link
Member

cyphar commented Oct 3, 2017

This is actually something I've thought about before. I completely agree that we should make some aspect of the path 700, but I was thinking of making the bundle 700 to avoid including that mode inside the rootfs when repacking.

@cyphar cyphar mentioned this issue Oct 3, 2017
Merged
@hallyn
Copy link
Contributor Author

hallyn commented Oct 4, 2017

Awesome, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hallyn @cyphar