World writable address file in container runtime folder

Have you checked the parent folder of that “address” file?

ll /run/containerd/io.containerd.runtime.v2.task/moby/ed967eac47c6f12e8b3f88d255d6ec7d4abb2eecec45641eb65841587c7d1bbf

You will probably see that the folder is not executable by other users, which means even if a nonroot user could write the address, they could not have access to the parent folder so they would not be able to writre the address. You can try it without root privileges and it will show a permission denied error. You couldn’t even read the file without root user.

You had another topic about IP forwarding where I had the same feeling that you either use a security scanner with default config or a scanner which is not able to recognize more complex cases and detects something that could be a security issue, but not necessarily is one, so you need to analyze the sitution and ignore the report if it is not a real issue.

What is the scanner software? Can you share the name of it?

1 Like