actions
GHA Runners create world-writable shared memory section
Describe the bug
Self-hosted gha runners on RHEL 9.4. They are creating a shared memory section with world-writable permissions. I assume that the runners use this to communicate among themselves. The issue is that the lttng-ust-wait-8 section has world-write permissions, and this is causing security audit concerns.
$ ll /dev/shm/
-rw-rw-rw- 1 gha-runner-7 gha-runner-7 4096 Feb 20 04:03 lttng-ust-wait-8 -rw-r----- 1 gha-runner-8 gha-runner-8 4096 Feb 20 04:03 lttng-ust-wait-8-558 -rw-r----- 1 gha-runner-7 gha-runner-7 4096 Feb 20 04:03 lttng-ust-wait-8-559 -rw-r----- 1 gha-runner-6 gha-runner-6 4096 Feb 20 04:03 lttng-ust-wait-8-560 -rw-r----- 1 gha-runner-5 gha-runner-5 4096 Feb 20 04:03 lttng-ust-wait-8-561 -rw-r----- 1 gha-runner-4 gha-runner-4 4096 Feb 20 04:03 lttng-ust-wait-8-562 -rw-r----- 1 gha-runner-3 gha-runner-3 4096 Feb 20 04:03 lttng-ust-wait-8-563 -rw-r----- 1 gha-runner-2 gha-runner-2 4096 Feb 20 04:03 lttng-ust-wait-8-564 -rw-r----- 1 gha-runner-1 gha-runner-1 4096 Feb 20 04:03 lttng-ust-wait-8-565
To Reproduce Steps to reproduce the behavior:
- Setup multiple runners on same host, but running as different users
- Run them
- After running a job or three, check /dev/shm for files like the case above.
Expected behavior A shared memory section should not have world-write permission.
Runner Version and Platform
Version of your runner?
OS of the machine running the runner? OSX/Windows/Linux/... Linux RHEL 9.4
What's not working?
n/a
Job Log Output
n/a
Runner and Worker's Diagnostic Logs
n/a
