bootBuildImage /workspace files may be world writeable #36639
Comments
spring-projects-issues
added
the
status: waiting-for-triage
wilkinsona
changed the title
|
Thanks for the suggestion. The use of the workspace directory is governed by Cloud Native Buildpacks. A change in |
wilkinsona
added
status: declined
I can't figure out what project(s) to start with, so I've asked that question at buildpacks/community#229 If you (or anyone else) can point me in the right direction in terms of the project/tool to which I should contribute, I'd be more than happy to figure out how to make this fix and submit a PR. Thank you again! |
|
FWIW, I would have started with GitHub discussions or Slack so I think you're already in the right place. I'm not sure where in the CNB landscape the change would have to be made, perhaps the lifecycle but that's not much more than a guess. |
Using Spring Boot's cloud native buildpack functionality to create a docker image., the
/workspacedirectory in the image will have files with permissions that come from the building system's file system.For example, if the build process creates a file at
./build/generated-resources/static/favicon.icothat is world writable (chmod 666), then that file will be world writable in thebootBuildImageproduced docker image at/workspace/BOOT-INF/classes/static/favicon.ico. This can be done by runningumask 0000before running./gradlew bootBuildImage.No files under
/workspaceshould world writable. World writable files are a violation of recommendations from the CIS Benchmarks and other security standards, example documentation: https://www.tenable.com/audits/items/CIS_SUSE_Linux_Enterprise_Workstation_11_v2.1.0_L1.audit:ffc7b53d7c43ea8da23cd2e6aa9e19c3When
bootBuildImageadds the files to the docker image, it should unset the world writable permission.The text was updated successfully, but these errors were encountered: