-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: allow reading from cache folders for any users #7395
Conversation
I've added a read permission for all users, but cache can contain a sensitive data. @knqyf263 wdyt? |
I think users should be responsible for the permission. If needed, they can change permission of the cache dir at their own risk. |
sure. let's close this pr, right? |
Usually the user who creates the cache directory and the user who runs Trivy should be the same. Does this problem occur if the directory is created manually? |
no, I can create a subfolder and there is no problem with permissions if modes allow to create files. but if I create a new folder through $ sudo mkdir subpath4
$ trivy i --cache-backend memory --cache-dir ~/Library/Caches/trivy/subpath4/ tomcat:9
2024-09-02T08:34:38+06:00 INFO [db] Need to update DB
2024-09-02T08:34:38+06:00 INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-09-02T08:34:42+06:00 FATAL Fatal error init error: DB error: failed to download vulnerability DB: database download error: oci download error: download error: failed to download /var/folders/q0/ykp5nvjx0j5_t4llxyh5hcm40000gn/T/trivy121102855/db.tar.gz: mkdir ~/Library/Caches/trivy/subpath4/db: permission denied |
Yes, that is what I meant. The error you shared shows "permission denied", and it's clear enough. Users should fix the problem themselves. What do you think? |
I think you're right as usual. We shouldn't update default permissions for cache folders. |
This might be another problem from #7380, as it shows a different error.
|
yes, I've re-opened the discussion and retesting it with |
Description
A new cache folder is created without read access for another users.
This PR grants read permissions.
Reproduction Steps:
$ trivy server -d --cache-dir ~/Library/Caches/trivy/subpath
Before:
$ ls -l ~/Library/Caches/trivy total 0 drwxr-xr-x 4 user staff 128 27 Aug 00:25 db drwx------ 3 user staff 96 26 Aug 14:02 fanal drwxr-xr-x@ 4 user staff 128 16 Aug 12:45 java-db drwxr-xr-x@ 4 user staff 128 19 Aug 19:47 policy drwx------ 4 user staff 128 27 Aug 01:15 subpath
After:
$ ls -l ~/Library/Caches/trivy total 0 drwxr-xr-x 4 user staff 128 27 Aug 00:25 db drwx------ 3 user staff 96 26 Aug 14:02 fanal drwxr-xr-x@ 4 user staff 128 16 Aug 12:45 java-db drwxr-xr-x@ 4 user staff 128 19 Aug 19:47 policy drwxr--r--@ 4 user staff 128 27 Aug 01:29 subpath
Related issues
Checklist