packages/moby
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

daemon: overlay2: remove world writable permission from the lower file

Browse Source 
Signed-off-by: shechenglong <shechenglong@xfusion.com>
This commit is contained in:
shechenglong 2025-04-17 17:27:01 +08:00
parent 764fae967d
commit b38bd9f959
2 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
1014-daemon-overlay2-remove-world-writable-permission-fro.patch Normal file
View File

@ -0,0 +1,43 @@
From d0d85f6438af71ddd15d0441ec219daba192d4e5 Mon Sep 17 00:00:00 2001
From: Jaroslav Jindrak <dzejrou@gmail.com>
Date: Tue, 5 Mar 2024 14:25:50 +0100
Subject: [PATCH 022/172] daemon: overlay2: remove world writable permission
from the lower file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
In de2447c, the creation of the 'lower' file was changed from using
os.Create to using ioutils.AtomicWriteFile, which ignores the system's
umask. This means that even though the requested permission in the
source code was always 0666, it was 0644 on systems with default
umask of 0022 prior to de2447c, so the move to AtomicFile potentially
increased the file's permissions.
This is not a security issue because the parent directory does not
allow writes into the file, but it can confuse security scanners on
Linux-based systems into giving false positives.
Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
(cherry picked from commit cadb124ab679f7e48c917473e28ff7f270d27dd9)
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
---
daemon/graphdriver/overlay2/overlay.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
index 4f61ac8c08..4cf157e90f 100644
--- a/daemon/graphdriver/overlay2/overlay.go
+++ b/daemon/graphdriver/overlay2/overlay.go
@@ -406,7 +406,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
return err
}
if lower != "" {
- if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o666); err != nil {
+ if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil {
return err
}
}
--
2.27.0

6
moby.spec
View File

@ -7,7 +7,7 @@
Name: moby
Version: 25.0.3
Release: 25
Release: 26
Summary: The open-source application container engine
License: Apache-2.0
URL: https://www.docker.com
@ -37,6 +37,7 @@ Patch1010: 1010-fix-CVE-2024-36621.patch
Patch1011: 1011-fix-CVE-2024-36620.patch
Patch1012: 1012-fix-CVE-2024-36623.patch
Patch1013: 1013-Don-t-enforce-new-validation-rules-for-existing-netw.patch
Patch1014: 1014-daemon-overlay2-remove-world-writable-permission-fro.patch
# Patch 2001-2999 for tini
Patch2001: 2001-tini.c-a-function-declaration-without-a-prototype-is.patch
Requires(meta): %{name}-engine = %{version}-%{release}
@ -228,6 +229,9 @@ fi
%systemd_postun_with_restart docker.service
%changelog
* Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-26
- daemon: overlay2: remove world writable permission from the lower file
* Thu Apr 17 2025 shechenglong <shechenglong@xfusion.com> - 25.0.3-25
- Don't enforce new validation rules for existing networks