Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIS rule Ensure No World-Writable Files Exist fails because of containerd address files and come charm pod files #137

Open
nishant-dash opened this issue Jan 23, 2025 · 2 comments
Open

CIS rule Ensure No World-Writable Files Exist fails because of containerd address files and come charm pod files #137

nishant-dash opened this issue Jan 23, 2025 · 2 comments

Comments

@nishant-dash
Copy link

AS you can see the permissions of these files are a bit too open however their directory perms are ok. This fails the CIS rule for world writable files.

root@microk8s-3:~# find / -xdev -type f -perm -002
/var/snap/microk8s/common/var/lib/kubelet/pods/ec74752c-f15b-42d3-a2d0-9c4b5b2c1aaf/containers/juju-operator/795fb8f3
/var/snap/microk8s/common/var/lib/kubelet/pods/c8a0b10c-c75f-4dec-b14c-b2bdda816ea9/containers/juju-operator/6f02a959
/var/snap/microk8s/common/var/lib/kubelet/pods/9ec31e95-9746-4bf6-a333-8ddb035c5e23/containers/charm/25eb2666
/var/snap/microk8s/common/var/lib/kubelet/pods/9ec31e95-9746-4bf6-a333-8ddb035c5e23/containers/charm/dc73a5e1
/var/snap/microk8s/common/var/lib/kubelet/pods/9ec31e95-9746-4bf6-a333-8ddb035c5e23/containers/charm/d1c9e0bd
/var/snap/microk8s/common/var/lib/kubelet/pods/9ec31e95-9746-4bf6-a333-8ddb035c5e23/containers/charm/96b4d6bf
/var/snap/microk8s/common/var/lib/kubelet/pods/9ec31e95-9746-4bf6-a333-8ddb035c5e23/containers/charm-init/06af8e01
/var/snap/microk8s/common/var/lib/kubelet/pods/ce8159d4-adb9-4eda-acd2-ee2338890744/containers/catalogue/154b6cc0
/var/snap/microk8s/common/var/lib/kubelet/pods/ce8159d4-adb9-4eda-acd2-ee2338890744/containers/charm/d51f5ebc
/var/snap/microk8s/common/var/lib/kubelet/pods/ce8159d4-adb9-4eda-acd2-ee2338890744/containers/charm-init/3629e3dc
/var/snap/microk8s/common/var/lib/kubelet/pods/f662f48b-6ba9-48e6-9aad-6ba89d6e2941/containers/charm/4554bb04
/var/snap/microk8s/common/var/lib/kubelet/pods/f662f48b-6ba9-48e6-9aad-6ba89d6e2941/containers/charm/e4079892
/var/snap/microk8s/common/var/lib/kubelet/pods/f662f48b-6ba9-48e6-9aad-6ba89d6e2941/containers/charm/8156755e
/var/snap/microk8s/common/var/lib/kubelet/pods/f662f48b-6ba9-48e6-9aad-6ba89d6e2941/containers/charm-init/bff80650
/var/snap/microk8s/common/var/lib/kubelet/pods/cd30373a-797c-479c-8798-bdfd44baafe5/containers/speaker/36eaef76
/var/snap/microk8s/common/var/lib/kubelet/pods/75f20c22-968e-4509-a32a-17940a0a4f19/containers/controller/9ab481ad
/var/snap/microk8s/common/var/lib/kubelet/pods/3d49086f-c90a-4e7b-99ba-a14dcc802904/containers/charm/9ed27cb4
/var/snap/microk8s/common/var/lib/kubelet/pods/3d49086f-c90a-4e7b-99ba-a14dcc802904/containers/charm/195ac3c9
/var/snap/microk8s/common/var/lib/kubelet/pods/3d49086f-c90a-4e7b-99ba-a14dcc802904/containers/charm/fc455199
/var/snap/microk8s/common/var/lib/kubelet/pods/3d49086f-c90a-4e7b-99ba-a14dcc802904/containers/charm-init/978bce27
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/volumes/kubernetes.io~empty-dir/charm-data/var/lib/juju/agents/unit-prometheus-0/charm/cos-tool-amd64
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/containers/charm/00cc3a72
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/containers/charm/295e514b
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/containers/charm/83b12354
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/containers/prometheus/a4781b1a
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/containers/charm-init/fc8e1681
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/volume-subpaths/charm-data/charm/1/agents/unit-prometheus-0/charm/cos-tool-amd64
/var/snap/microk8s/common/var/lib/kubelet/pods/1d255aed-71c0-4e2e-80fa-e7dced94fe33/volume-subpaths/charm-data/charm-init/0/agents/unit-prometheus-0/charm/cos-tool-amd64
/var/snap/microk8s/common/var/lib/kubelet/pods/45bc4871-50d8-46f9-9644-5c6cb9fcfefa/containers/upgrade-ipam/36d47ddf
/var/snap/microk8s/common/var/lib/kubelet/pods/45bc4871-50d8-46f9-9644-5c6cb9fcfefa/containers/calico-node/8bf32ea2
/var/snap/microk8s/common/var/lib/kubelet/pods/45bc4871-50d8-46f9-9644-5c6cb9fcfefa/containers/install-cni/a001f15f
/var/snap/microk8s/common/var/lib/kubelet/pods/93a94344-c95d-494c-a080-63678d4ea73d/containers/csi-rbdplugin/ae03b758
/var/snap/microk8s/common/var/lib/kubelet/pods/93a94344-c95d-494c-a080-63678d4ea73d/containers/driver-registrar/15331f96
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/e7f438a064683b32207af5874169b451f54b2d00540eb4fd7400ca0e34975d1c/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/902c74694e78d8ae85644ad90cdc75c7809f630f7e012842745693a7b586705b/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/64c56a9abd715abac375d5a48d66e490b5ea7d58b2a67510476ba24403f6fcdd/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/3e28f17af85afdefe57191a08c22ccc94916a282bd4ec025afad23c4d13a2407/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/9a1c4478d7accca06ed7ba6ba7f0ef3f16ad4437fc412ee70c4fa620a687511c/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/31e1f34a5a0e8dd55f3864a1d221b30941ce25f989c0a320221728c87b3bfec8/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/60d54dc16274f3bb39e1d3fa791de14152616d7144462880f77325d9fccf5710/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/44cb3bbd22e2bbf595b0f39bb0a66b2f0ba0a10e7be1a5a5da1d36b160ee7634/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/90a1f8d39c05f186a147514a21db2395cd183a022354ef13e4ef71d79479c9d9/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/4618e691f20006331b6a349d5c450927492d3086e8595e9965a963eb2ce684e6/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/5315df660888ed4f0c01bea7d34e712470de3b70b4af7d720ffb72e3ba386415/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/aadf44015f954323b286c916d77eb378d9029687c7d0c8102d95131dac933f3b/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/bc03560336c8a0f72b1dd2125ada891d667a576a05a5447a5cd3faad5473f708/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/f28afaffab8c6c0d627ff4a695598784977dcf9eabc5673a53783f126bda82d0/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/81b2d77c55f0138c387a2ac3a18fa33a121502fc8397e6ddeada638c0e77fd66/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/ae609d3a7363c21223555b5fe6299a0beea01325d236f34246d0cb4a5bc4b68d/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/989f067a5e239c0777c842d6a06bda7d8a2d2745bfdcb7e6f915d72d1dc3264e/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/460a251fb1994fc92285accedb12e3353f032af394119e2bcc1d70fb03d779eb/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/ee4c43fa156fd61b24d656868482fc9ade9d18a47e3296cdb9db5c11101cdae1/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/7a26c23ae7403c708f6f85046480d92630de41566f497269358578d9c8fdc997/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/8dc6f6c918a974ffdfc6b337ed5cb9bd24136149f91ccd0ae4476765125a157a/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/0886a582ec7e3369577d4eb3bb3265be9bb9535e8a93e5a692eda4c6a3e061c5/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/f473f1312891e612412eedf5dcb0d2f7d88ec41cdb1740bd22502081f9f35d49/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/7d74fdae9409c59e51b6fa9be2873447c341bc84cc7ad88b2a8be3a1b1840a2c/address
/var/snap/microk8s/common/run/containerd/io.containerd.runtime.v2.task/k8s.io/3090f4b41f1a9b681dd65ea45215eefafb5969f46299efc2cc3e8f4248b239e0/address
/var/lib/juju/agents/unit-grafana-agent-vm-2/charm/cos-tool-amd64
@nishant-dash
Copy link
Author

I found this upstream issue containerd/containerd#9363 which claims to have it fixed in containerd 1.6.27 and we have 1.6.28 in microk8s so perhaps something else might be going on?

@bschimke95 is aware of this and reproduced this behavior

@bschimke95
Copy link

Hey @nishant-dash
I would first verify if this is really fixed in that containerd version in isolation and if not, reach out to the containerd project.

As discussed, charmed microk8s is deprecated. We will happily review a contribution/PR from you side but we won't address this in the charm ourselves.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nishant-dash @bschimke95