rabbitmq icon indicating copy to clipboard operation
rabbitmq copied to clipboard

Published 20 hours ago verified publisher icon docker-library

Feature Request: rabbitmq/3.10/ubuntu/Dockerfile - is it really advisable to have files with other write permission?

Open MrPippin66 opened this issue 3 years ago • 2 comments

In rabbitmq/3.10/ubuntu/Dockerfile, the permissions of the core directories are expressly set to 777 (other write permission).

I realize this is a container and the process runs as 'rabbitmq', so not really an exposure, but this flags security scanners.

Can't this be made just a bit more restrictive in removing 'other' write access? Or...add the sticky bit?

chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \

MrPippin66 avatar May 09 '22 19:05 MrPippin66

These get set to 777 to facilitate running the container as an alternate user -- in most use cases, at least $RABBITMQ_DATA_DIR will be provided as a mount from the user, so it typically already has tighter permissions. It shouldn't hurt anything for you to make those permissions stricter, but it's tough to balance that with the general use case (and as you mentioned, running in a container already mitigates the worst of this).

tianon avatar May 09 '22 21:05 tianon

I understand. Problem is that container files show up in security scanners outside the container, which are mostly justified in saying there's an issue.

Example:

4851064    4 drwxrwxrwx   2 100      501         4096 Mar 17 09:12 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq/conf.d
4851103    4 drwxrwxrwx   3 100      501         4096 Mar 17 09:12 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq
4851104    4 drwxrwxrwx   2 100      501         4096 Mar 17 09:12 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq/conf.d
4851081    4 drwxrwxrwx   3 100      501         4096 Mar 17 09:12 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq
4851082    4 drwxrwxrwx   2 100      501         4096 Mar 17 09:12 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq/conf.d
4725460    8 drwxrwxrwx   3 100      501         4096 Mar 17 09:11 /var/lib/containers/storage/overlay/#NUM/diff/etc/rabbitmq

I understand the reasoning, but just bringing up the audit viewpoint of this.

MrPippin66 avatar May 09 '22 21:05 MrPippin66

Closing since users can change permissions via their own docker builds: https://github.com/lukebakken/docker-library-rabbitmq-558/blob/main/Dockerfile

lukebakken avatar Feb 08 '23 21:02 lukebakken