Thanks for filling this report.
The issue isn't really "secrets" being exposed in the cache, but rather
setuid-root or file-capability-endowed binaries in the rootfs,
especially if they become stale and contain a CVE. Lxc can't be sure
where third-party templates have stored such binaries, so if
/var/cache/lxc was 755 then every subdirectory would need to be 700, and
we'd have to worry about a bug leaving one open.
If you "know what you're doing" then you can chmod /var/cache/lxc on
your systems to 755, and lxc won't revert those permissions against your
will. But I'm afraid we have to mark this wontfix. Too bad, because I
agree it *is* inconvenient.
** Changed in: lxc (Ubuntu)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1472142
Title:
/var/cache/lxc not world readable
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1472142/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
