World writable address file in container runtime folder

Hi, The permission in container runtime address file is world writable.

# ll /run/containerd/io.containerd.runtime.v2.task/moby/ed967eac47c6f12e8b3f88d255d6ec7d4abb2eecec45641eb65841587c7d1bbf/address 
-rw-rw-rw-. 1 root root 89 May 22 15:11 /run/containerd/io.containerd.runtime.v2.task/moby/ed967eac47c6f12e8b3f88d255d6ec7d4abb2eecec45641eb65841587c7d1bbf/address

Our security scan tool captured this security vulnerability. The permission should ideally be -rw-r–r–.
Is there a way to mitigate this permission issue?
Manually updating the permissions will not help as it will come again on container recreation.

Did you check “Docker rootless”?

Have you checked the parent folder of that “address” file?

ll /run/containerd/io.containerd.runtime.v2.task/moby/ed967eac47c6f12e8b3f88d255d6ec7d4abb2eecec45641eb65841587c7d1bbf

You will probably see that the folder is not executable by other users, which means even if a nonroot user could write the address, they could not have access to the parent folder so they would not be able to writre the address. You can try it without root privileges and it will show a permission denied error. You couldn’t even read the file without root user.

You had another topic about IP forwarding where I had the same feeling that you either use a security scanner with default config or a scanner which is not able to recognize more complex cases and detects something that could be a security issue, but not necessarily is one, so you need to analyze the sitution and ignore the report if it is not a real issue.

What is the scanner software? Can you share the name of it?

1 Like

“Docker rootless” has the same behaviour but the path is different.

[root@ip-10-0-0-20 ~]# ls -la /run/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/024cfe0af80142f4292b698aa4160afae713e5beeacfaa60c52711db62244b57/address 
-rw-rw-rw-. 1 testuser testuser 89 Jun  2 04:34 /run/user/1000/docker/containerd/daemon/io.containerd.runtime.v2.task/moby/024cfe0af80142f4292b698aa4160afae713e5beeacfaa60c52711db62244b57/address