Skip to content

Commit

Permalink
Check for world writable files in the agent docker image (DataDog#31410)
Browse files Browse the repository at this point in the history
  • Loading branch information
L3n41c authored Nov 25, 2024
1 parent b65ed90 commit a22a165
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 17 deletions.
8 changes: 3 additions & 5 deletions Dockerfiles/agent/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -245,13 +245,11 @@ COPY --from=nosys-seccomp /tmp/nosys.so /opt/lib/nosys.so
ENV LD_PRELOAD=/opt/lib/nosys.so

# Single entrypoint
COPY entrypoint.sh /bin/entrypoint.sh
COPY entrypoint.d /opt/entrypoints
RUN chmod 755 /bin/entrypoint.sh \
&& chmod 755 -R /opt/entrypoints
COPY --chmod=755 entrypoint.sh /bin/entrypoint.sh
COPY --chmod=755 entrypoint.d /opt/entrypoints

CMD ["/bin/entrypoint.sh"]

FROM release AS test
COPY test_image_contents.py /tmp/test_image_contents.py
COPY --chmod=755 test_image_contents.py /tmp/test_image_contents.py
RUN ./tmp/test_image_contents.py && rm -f ./tmp/test_image_contents.py
42 changes: 30 additions & 12 deletions Dockerfiles/agent/test_image_contents.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,9 @@
#!/opt/datadog-agent/embedded/bin/python

import grp
import os
import os.path
import pwd
import stat
import unittest
from hashlib import sha256
Expand Down Expand Up @@ -47,18 +49,34 @@ def test_files_checksums(self):
self.assertEqual(sha.hexdigest(), digest, file + " checksum mismatch")

def test_files_permissions(self):
def has_write_permissions(path):
try:
return bool(os.stat(path).st_mode & stat.S_IWOTH)
except Exception:
return False

for root, dirs, files in os.walk("/etc"):
for name in files:
self.assertFalse(has_write_permissions(os.path.join(root, name)))
for name in dirs:
os.path.join(root, name)
self.assertFalse(has_write_permissions(os.path.join(root, name)))
for root, dirs, files in os.walk("/"):
dirs[:] = filter(
lambda dir: not os.path.ismount(os.path.join(root, dir)), dirs
)

for name in dirs + files:
f = os.path.join(root, name)

try:
s = os.stat(f)
except FileNotFoundError:
pass
except Exception as e:
self.fail(f"Failed to stat {f}: {e}")
self.assertFalse(
s.st_mode & (stat.S_IWOTH | stat.S_ISVTX) == stat.S_IWOTH,
f"{f} should not be world-writable",
)

try:
pwd.getpwuid(s.st_uid)
except KeyError:
self.fail(f"Unknown user {s.st_uid} for {f}")

try:
grp.getgrgid(s.st_gid)
except KeyError:
self.fail(f"Unknown group {s.st_gid} for {f}")


if __name__ == "__main__":
Expand Down

0 comments on commit a22a165

Please sign in to comment.