Incorrect permission set for `/workspace`

[ghost]

tldr; /workspace should be read-only, but somehow it's writeable in some cases.

We've been using kpack on our internal platform to build images for our clients. Recently we found that users were able to write to the /workspace which caused some unexpected issues. We believe that it's caused by a regression bug from kpack.

We will be working on identifying the issue and post a minimal reproducible example in the coming weeks.

[chenbh]

afaik I think /workspace (at least in the build container) has always been writable. I would imagine this would otherwise break languages that like to compile in place (like java and its .class).

As a comparison, I just tried this out using pack and the implementation there allowed /workspace to be writable. I was able to create a buildpack that arbitrary modified the source code as part of its build step.

[sambhav]

@chenbh I believe the issue is about the output images rather than the build process. The workspace is currently world writable which breaks workspace immutability during runtime when built layers are put atop the run image. Ideally it should only be writable by the build user.

kpack used to produce images that were not world writable but this changed recently.

There is also a buildpacks rfc to support this behavior as not being able to do this leads to security issues.

Details are at https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md

[sambhav]

Related https://github.com/buildpacks/community/discussions/229