beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
moby/daemon/graphdriver
History
Brian Goff 93ac040bf0 Lock down docker root dir perms. 
Do not use 0701 perms.
0701 dir perms allows anyone to traverse the docker dir.
It happens to allow any user to execute, as an example, suid binaries
from image rootfs dirs because it allows traversal AND critically
container users need to be able to do execute things.

0701 on lower directories also happens to allow any user to modify
     things in, for instance, the overlay upper dir which neccessarily
     has 0755 permissions.

This changes to use 0710 which allows users in the group to traverse.
In userns mode the UID owner is (real) root and the GID is the remapped
root's GID.

This prevents anyone but the remapped root to traverse our directories
(which is required for userns with runc).

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73)
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2021-08-19 20:40:15 +00:00
..
aufs Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
btrfs Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
copy [DEL] remove useless assert 2020-11-09 23:38:45 +08:00
devmapper replace pkg/locker with github.com/moby/locker 2020-09-10 22:15:40 +02:00
fuse-overlayfs Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
graphtest quota: move quota package out of graphdriver 2020-10-05 13:28:25 +00:00
lcow Remove refs to jhowardmsft from .go code 2019-09-25 10:51:18 -07:00
overlay Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
overlay2 Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
overlayutils rootless: disable overlay2 if running with SELinux 2021-07-06 18:57:39 +09:00
register new storage driver: fuse-overlayfs 2020-02-10 23:48:52 +09:00
vfs Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
windows Revendor Microsoft/go-winio for 8gB file fix 2020-09-19 23:13:44 +10:00
zfs Lock down docker root dir perms. 2021-08-19 20:40:15 +00:00
counter.go graphdriver: Fix RefCounter memory leak 2018-02-09 10:26:06 +08:00
driver.go daemon/graphdriver: normalize comment formatting 2019-11-27 15:43:23 +01:00
driver_freebsd.go Add canonical import comment 2018-02-05 16:51:57 -05:00
driver_linux.go Really switch to moby/sys/mount* 2020-03-20 09:46:25 -07:00
driver_test.go bump gotest.tools v3.0.1 for compatibility with Go 1.14 2020-02-11 00:06:42 +01:00
driver_unsupported.go Add canonical import comment 2018-02-05 16:51:57 -05:00
driver_windows.go Add canonical import comment 2018-02-05 16:51:57 -05:00
errors.go Add canonical import comment 2018-02-05 16:51:57 -05:00
fsdiff.go Add layer id to NaiveDiffDriver untar timing log 2018-10-05 16:28:40 -07:00
plugin.go goimports: fix imports 2019-09-18 12:56:54 +02:00
proxy.go Move plugin client creation to the extension point 2018-05-25 15:18:53 -04:00