build.sh: allow group write on /usr/bin #4410
Open
+7
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Allow group write permissions on /usr/bin because in upstream project's CI we want to overwrite binaries for testing. The dir is owned by root:root and CI runs in openshift as a user that is a member of the `root` (GID: 0) group. See coreos/coreos-installer#1716
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request adds group-write permissions to /usr/bin to facilitate testing in a CI environment. However, this change introduces a critical security vulnerability by allowing any process with root group privileges to modify system binaries, potentially leading to privilege escalation. My review includes a critical comment explaining the risks and suggesting a safer alternative, such as using a separate directory for test binaries and modifying the PATH.
Comment on lines
+115
to
+120
| # Allow group write permissions on /usr/bin because in upstream | ||
| # project's CI we want to overwrite binaries for testing. The dir is | ||
| # owned by root:root and CI runs in openshift as a user that is a | ||
| # member of the `root` (GID: 0) group. | ||
| # See https://github.com/coreos/coreos-installer/pull/1716 | ||
| chmod g+w /usr/bin |
Contributor
There was a problem hiding this comment.
Granting group-write permissions to /usr/bin introduces a critical security vulnerability. Any process running with GID 0 (as is common in OpenShift for non-root users) can modify or replace any system binary in that directory. This could be exploited for privilege escalation if a compromised process replaces a commonly used executable (like ls, sudo, or curl) with a malicious version.
While this is for a CI environment, it's a dangerous practice that violates the principle of least privilege. A safer alternative for overriding binaries for testing would be:
- Create a separate directory (e.g.,
/opt/testing-bin). - Grant write permissions to that directory.
- In your CI test environment, prepend this directory to the
PATHenvironment variable (e.g.,export PATH=/opt/testing-bin:$PATH).
This approach allows you to override binaries without altering the permissions of critical system directories.
dustymabe
added a commit
to dustymabe/coreos-installer
that referenced
this pull request
Jan 9, 2026
We opened up the permissions when building the COSA container [1] so this isn't necessary any longer with a few adjustments here. [1] coreos/coreos-assembler#4410
Member
Author
|
so here we are opening up permissions on @HuijingHei maybe we could be more targeted in what we copy over in ostree CI? What we're currently copying is quite exhaustive: Details |
dustymabe
added a commit
to dustymabe/coreos-installer
that referenced
this pull request
Jan 9, 2026
We opened up the permissions when building the COSA container [1] so this isn't necessary any longer with a few adjustments here. [1] coreos/coreos-assembler#4410
dustymabe
added a commit
to dustymabe/coreos-installer
that referenced
this pull request
Jan 9, 2026
We opened up the permissions when building the COSA container [1] so this isn't necessary any longer with a few adjustments here. [1] coreos/coreos-assembler#4410
Member
Agree with you, I have no better workaround for this, how about |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Allow group write permissions on /usr/bin because in upstream project's CI we want to overwrite binaries for testing. The dir is owned by root:root and CI runs in openshift as a user that is a member of the
root(GID: 0) group.See coreos/coreos-installer#1716