Package: bubblewrap
Version: 0.3.3-2
Tags: security
If the file specified by the --ro-bind-data option doesn't exist yet,
bubblewrap creates it as world-writable:
$ umask
0077
$ ls ~/moo
ls: cannot access '/home/jwilk/moo': No such file or directory
$ bwrap --ro-bind / / --bind ~ ~ --ro-bind-data 0 ~/moo -- true < /dev/null
$ ls -l ~/moo
-rw-rw-rw- 1 jwilk users 0 Nov 13 15:51 /home/jwilk/moo
This is bad when the directory for the ro-bind-data file is shared
between the host and the container, as in the example above.
-- System Information:
Architecture: i386
Versions of packages bubblewrap depends on:
ii libc6 2.29-3
ii libcap2 1:2.27-1
ii libselinux1 2.9-3
--
Jakub Wilk
