[Bug 1472142] Re: /var/cache/lxc not world readable
Serge Hallyn
1472142 at bugs.launchpad.net
Mon Jul 20 16:25:55 UTC 2015
Thanks for filling this report.
The issue isn't really "secrets" being exposed in the cache, but rather
setuid-root or file-capability-endowed binaries in the rootfs,
especially if they become stale and contain a CVE. Lxc can't be sure
where third-party templates have stored such binaries, so if
/var/cache/lxc was 755 then every subdirectory would need to be 700, and
we'd have to worry about a bug leaving one open.
If you "know what you're doing" then you can chmod /var/cache/lxc on
your systems to 755, and lxc won't revert those permissions against your
will. But I'm afraid we have to mark this wontfix. Too bad, because I
agree it *is* inconvenient.
** Changed in: lxc (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1472142
Title:
/var/cache/lxc not world readable
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1472142/+subscriptions
More information about the Ubuntu-server-bugs
mailing list