We help IT Professionals succeed at work.

Group/world writable folders esp under docker

sunhux
sunhux asked
on
High Priority
141 Views
Last Modified: 2019-12-02
refer to attached list of group/world writable folders:
many of them are under docker dir & some are owned by ftp.

Q1:
is it ok to remove  group writable  permission?

Q2:
Those files owned by ftp: can we amend to be owned by root?
gwrifold.zip
Comment
Watch Question

Author

Commented:
correction to Q1: can we set the owner of the unowned files to root:root ?
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Q1: can we set the owner of the unowned files to root:root ?

Your Docker setup appears to be correctly running Docker containers as unprivileged meaning the container files are owned by some random uid/gid, which in your case looks to have a base uid == 1000.

You can make any change you like, as your logged in as root.

And if you make the change you just described all Docker code will instantly crash, because from a system level, you just changed all the files to root:root. From a container level high uid number like 1001 appear as root from inside the container.

How all this is managed is a long conversation. If you care, you can read up on how Docker manages containers to ensure security.

Q2: Those files owned by ftp: can we amend to be owned by root?

This is similar to Q1. You can change anything you like + you may completely break your ability to use FTP on your machine.
Fractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Aside: If you're serious about security. Hardening is a far 2nd to the following items.

1) Never use FTP. If you do, you will eventually be hacked in some way. This might be minor or major, depending on how login user/pass management occurs.

FIX: Use SFTP only. MySecureShell (zero config SFTP server) packages exist for all major Distros. If you have trouble getting MySecureShell running, open another question asking for assistance.

2) Use LXD, not Docker, if you have persistent data.

Docker has no concept of persistent data. Said another way, Docker data volumes (persistent data) lives outside of Docker, which creates a maintenance nightmare + can produce potential security problems.

Fix: Use Docker for microservices maintaining no state/data across boots. Use LXD for LAMP Stacks or other situations where data must persist across boots.

3) Biggest Security Consideration: Run RHEL 8 only + keep all your software updates installed.