From b6a7b2482cb828eef4f73c8d79a0389bee263726 Mon Sep 17 00:00:00 2001 From: Caleb Xu Date: Mon, 20 Oct 2025 11:11:49 -0400 Subject: [PATCH] fix(dockerfile): set more lenient permissions on /home/runner Currently, the permissions of /home/runner are 750. In some container runtimes and Kubernetes distributions (including OpenShift), a different uid/gid (not `runner`) may be used when running the image. The runner expects to be able to read and execute scripts within the home directory, and it will also write ephemeral files, diagnostic data, etc. into the directory as well. Therefore, to support the ability to use the runner as a user apart from `runner`, full 777 permissions are needed. A longer-term change to consider which may improve the security posture here would be to separate the executable portions of the application (scripts, etc.) from the places where temporary data is written, and control the permissions of these separately. Signed-off-by: Caleb Xu --- images/Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/images/Dockerfile b/images/Dockerfile index cefe05a74ef..11784baf323 100644 --- a/images/Dockerfile +++ b/images/Dockerfile @@ -54,14 +54,15 @@ RUN add-apt-repository ppa:git-core/ppa \ && apt install -y git \ && rm -rf /var/lib/apt/lists/* +WORKDIR /home/runner + RUN adduser --disabled-password --gecos "" --uid 1001 runner \ && groupadd docker --gid 123 \ && usermod -aG sudo runner \ && usermod -aG docker runner \ && echo "%sudo ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers \ - && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers - -WORKDIR /home/runner + && echo "Defaults env_keep += \"DEBIAN_FRONTEND\"" >> /etc/sudoers \ + && chmod 777 /home/runner COPY --chown=runner:docker --from=build /actions-runner . COPY --from=build /usr/local/lib/docker/cli-plugins/docker-buildx /usr/local/lib/docker/cli-plugins/docker-buildx