From 33a6115867f59fc479dba6ca009de3492632c114 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Mon, 17 Feb 2020 14:56:07 -0800 Subject: [PATCH] Revert "images/tests: Globally-writeable /etc/passwd" This reverts commit ca35cd633a46d2156ef598e827ce230391684926, #22592. As described in that commit message, the access was broadened to allow ssh from containers launched from the tests image. But since openshift/release@7baa9f2e44 (ci-operator/templates/openshift: Remove Terraform-state-based SSH gathers, 2020-01-25, openshift/release#6854) landed, we no longer need to SSH from those containers. Restore the usual access restrictions to address CVE-2019-19347[1]. [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1793287 --- images/tests/Dockerfile.rhel | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/images/tests/Dockerfile.rhel b/images/tests/Dockerfile.rhel index 9e74e618d5b7..1855677c11df 100644 --- a/images/tests/Dockerfile.rhel +++ b/images/tests/Dockerfile.rhel @@ -9,8 +9,7 @@ FROM registry.svc.ci.openshift.org/ocp/4.2:cli COPY --from=builder /tmp/build/openshift-tests /usr/bin/ RUN yum install --setopt=tsflags=nodocs -y git gzip util-linux && yum clean all && rm -rf /var/cache/yum/* && \ git config --system user.name test && \ - git config --system user.email test@test.com && \ - chmod g+w /etc/passwd + git config --system user.email test@test.com LABEL io.k8s.display-name="OpenShift End-to-End Tests" \ io.k8s.description="OpenShift is a platform for developing, building, and deploying containerized applications." \ io.openshift.tags="openshift,tests,e2e"