Home / Companies / Buildkite / Blog / Post Details
Content Deep Dive

Paved with good intentions: The story of fix-buildkite-agent-builds-permissions

Blog post from Buildkite

Post Details
Company
Date Published
Author
Josh Deprez
Word Count
1,551
Company Posts That Month
10
Language
English
Hacker News Points
59
Post removed?
No
Summary

The text describes an issue with file permissions in a Docker container used for running jobs. A Bash script was initially created to fix the file permissions, but it had security vulnerabilities due to potential manipulation of symlinks by attackers. The solution involved using syscalls like openat2 and fchownat to ensure that the path given to chown is a subpath of a trusted directory while preventing any symlinks. This approach effectively creates a tiny per-open-call chroot jail, ensuring security in file permission management within Docker containers.

Trends Found in this Post

No tracked trend matches for this post yet.

Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.