-
Notifications
You must be signed in to change notification settings - Fork 157
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add an allowlist test for non-root owned files and ensure their UID/GID are statically allocated #1826
Comments
I did an analysis pass on the OS content of current
These are the packages and bugzilla tickets for each of those:
|
The |
It'd be good to socialize this on e.g. fedora-devel@ - this work conceptually isn't specific to FCOS and needs to be something that other OS developers/packagers understand. @lucab mind doing that? |
May even be Change worthy. Or perhaps packaging guidelines. And/or ensure that any tests for this are e.g. executed also for other editions. |
Yes, that would help for packages that aren't directly used for base FCOS images. I'll try to put something together for fedora-devel after this initial small round of packages for our scenario is fixed. |
The |
I think this should actually be an rpm-ostree builtin feature. |
@cgwalters mind detailing what is the |
I think rpm-ostree should traverse the target root (it has to anyways) and warn if there are any non-root owned files in |
Most of the files that are shipped as part of the ostree commit are root:root owned but a very small subset is not.
To make sure that those files end up using the same user and group in the final system, we need to make sure that their user -> UID and group -> GID associations are static.
Let's make a test that verify that for our current set of files.
See:
The text was updated successfully, but these errors were encountered: