/workspaces directory contains world writable files

[candrews]

Using Spring Boot's cloud native buildpack functionality to create a docker image., the /workspace directory in the image will have files with permissions that come from the building system's file system. For example, if the build process creates a file at ./build/generated-resources/static/favicon.ico that is world writable (chmod 666), then that file will be world writable in the bootBuildImage produced docker image at /workspace/BOOT-INF/classes/static/favicon.ico. This can be done by running umask 0000 before running ./gradlew bootBuildImage.

No files under /workspace should world writable. World writable files are a violation of recommendations from the CIS Benchmarks and other security standards, example documentation: https://www.tenable.com/audits/items/CIS_SUSE_Linux_Enterprise_Workstation_11_v2.1.0_L1.audit:ffc7b53d7c43ea8da23cd2e6aa9e19c3

When bootBuildImage adds the files to the docker image, it should unset the world writable permission.

I raised this issue at spring-projects/spring-boot#36639 where the Spring project responded:

The use of the workspace directory is governed by Cloud Native Buildpacks. A change in bootBuildImage wouldn’t help other clients such as pack so I don’t think it’s the right approach. If a change is to be made it would be better done within the buildpacks so that all clients provide a consistent experience. If you want to pursue this, I would start by discussing it with the CNB community.

I'd really like to get this issue resolved so that consistent file permissions that do not grant world write are used for /workspace. I'm willing and able to create a PR in the appropriate project(s) to fix this issue, but I just don't know where to start - what project(s)/tool(s) handle /workspace permission? How can I proceed?

[robdimsdale]

@natalieparellano @jkutner do either of you have ideas as to which tool manages the permissions of /workspace?

Also meta-question - is this the right place for this kind of top-level question? I don't see a better repository and I didn't see project-level discussions.

[natalieparellano]

The permissions on the workspace directory are left up to the platform. Perhaps the issue here is that the lifecycle doesn't sanitize those bits in any way?

We recently discovered that pack was setting weird permissions on the workspace directory (see here and here). I think our preference as an alternative to having some set permissions would be to inherit those permissions from /workspace if present in the builder image. But this would need to be formalized in the spec.

[candrews]

I'd love to get some traction on this issue... how can I help?

To what project can I submit a PR? Or to what forum can I raise this issue to have it formalized in the spec so it eventually gets fixed?

[sambhav]

Seeing similar issues at buildpacks-community/kpack#1301