Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Ensure application files are readable by non-root users #2194

Merged
merged 1 commit into from
Aug 31, 2024
Merged

fix: Ensure application files are readable by non-root users #2194

merged 1 commit into from
Aug 31, 2024

Conversation

henrybell
Copy link
Member

Fixes #2193

Background

The following services were failing to start (state of CrashLoopBackOff), because of missing file permissions in /app for non-root users:

  • contacts
  • userservice
  • frontend

Change Summary

Update Dockerfile to modify permissions of files in /app so they are readable by all users.

Related PRs or Issues

#2193

@henrybell henrybell requested review from yoshi-approver and a team as code owners August 22, 2024 12:54
bourgeoisor
bourgeoisor reviewed Aug 22, 2024
View reviewed changes
src/accounts/contacts/Dockerfile
@@ -37,4 +37,7 @@ ENV LOG_LEVEL info
# Add application code.
COPY . .

# Ensure files are readable for non-root users
RUN chmod a+r *
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This defeats the purpose of running in non-root, since it gives gives access to all files to non-root, potentially creating security issues.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only to the application code and config files in /app -- I can make this more explicit if helpful. Another option would be to chown these to the user/group the pod is configured to run as.

@bourgeoisor bourgeoisor merged commit 4c760f7 into GoogleCloudPlatform:main Aug 31, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bourgeoisor bourgeoisor bourgeoisor approved these changes

@yoshi-approver yoshi-approver Awaiting requested review from yoshi-approver yoshi-approver is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Services failing to start with a state of CrashLoopBackOff
2 participants
@henrybell @bourgeoisor