Files and scripts with 666 permissions in gitlab-ce container.
In the recent gitlab-ce container I found this:
# ls -l /var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/sshd_config
-rw-rw-rw- 1 root root 847 Jan 13 20:57 /var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/sshd_config
There are even more files that need investigation:
[root@cloudgit gitlab.pod]# find /var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged -perm -o+w -type f
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/download-package
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/gitlab.rb
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/setup
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/sshd_config
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/update-permissions
/var/lib/containers/storage/overlay/41b3e4a792a84f289d80213acada7c3debdc336b93c45d8e540c5410ec8f7799/merged/assets/wrapper
Having config files or scripts within a container that are writeable by any user means that the smallest bug in any piece of software can enable an attacker to use those scripts to escalate privileges within the container taking over deployment pipelines, secrets and all the protected data of the gitlab instance.
It is maybe also worth mentioning that within the gitlab-ci docker pipeline files of the repositories are checked out with chmod 666 as well and if the developer forgets to chmod 644 those files through the Dockerfile build those files will go into the built container. As git's usual behaviour is to checkout files with 644 we can probably agree that a developer will likely forget about that!