Vulnerability Discussion
Removing world-writable permissions or setting the sticky bit helps enforce access control on directories within the OpenShift platform. World-writable permissions allow any user to modify or delete files within the directory, which can introduce security risks. By removing these permissions or setting the sticky bit, OpenShift restricts modifications to the directory's owner and prevents unauthorized or unintended changes by other users.
Check
Verify that all world-writable directories have the sticky bit set. List any world-writeable directories that do not have the sticky bit set by executing the following:
for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; find / -type d \( -perm -0002 -a ! -perm -1000 ! -path "/var/lib/containers/*" ! -path "/var/lib/kubelet/pods/*" ! -path "/sysroot/ostree/deploy/*" \) -print 2>/dev/null' 2>/dev/null; done
If there are any directories listed in the results, this is a finding.
Fix
Fix the directory permissions, by either removing world-writeable permission, or setting the sticky bit by executing the following:
oc debug node/ -- chroot /host /bin/bash -c 'chmod XXXX '
where
node_name: The name of the node to connect to (oc get node)
XXXX: Either 1777 (sticky bit) or 0755 (remove group and world write permission)
: The directory on which to correct the permissions