Skip to content

Salsa CI Produces Unintended World-Writable Results

Hello,

I have several Salsa CI pipelines building Debian Docker images.

On one of them, I noticed systemd warning about world-writable permissions on a file that had been copied into /etc/systemd/system. Weird. It didn't do that when I used the image I built locally.

Upon investigating the situation, I found that salsa was effectively running

chmod -R go+w .

on the checkout.

This introduced security vulnerabilities because in Docker, COPY transferrs those permissions to the generated image. Various deb-building approaches could do this also.

Here's how I pinned this down to Salsa.

In the relevant repo, I could type:

$ git ls-tree 91df28f0cc4b0d58cfda57fc1cc5c350bdbaf76d -- service/
100644 blob ec429c0bbdb50da81ba0fbef5fc516fc5dc5791f	service/nncp-caller.service
100644 blob af287bb8255a1fbb774777d56b17b32178dd712e	service/nncp-daemon.service
100644 blob 13201ad7b83ba30cd0370060aede9bd9f5f5893d	service/nncp-toss.service

There - mode 0644.

I added a ls -lR step to the job, so you can see what it looks like at the start of my job in Salsa here: https://salsa.debian.org/jgoerzen/docker-nncp/-/jobs/2439096

drwxrwxrwx    2 root     root          4096 Feb  6 06:50 service
...
./service:
total 12
-rw-rw-rw-    1 root     root           165 Feb  6 06:50 nncp-caller.service
-rw-rw-rw-    1 root     root           165 Feb  6 06:50 nncp-daemon.service
-rw-rw-rw-    1 root     root           179 Feb  6 06:50 nncp-toss.service

It does not appear to be a umask issue; the umask was 0022 as it should be.

I added a:

chmod -R og-w .

to the job which seems to have fixed this issue, but I'm not sure if that is really a permanent fix or why this was happening.

Thanks!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information