Fix Insecure File Permissions (#175)

Changes to disable read and write permissions to the group user Signed-off-by: asararatnakar <asara.ratnakar@gmail.com>
hyperledger-labs · Mar 11, 2024 · e314f75 · e314f75
1 parent 5089f42
commit e314f75
Show file tree

Hide file tree

Showing 6 changed files with 13 additions and 0 deletions.
diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml
@@ -82,6 +82,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 7051
             runAsNonRoot: true
             runAsUser: 7051
           volumeMounts:
@@ -130,6 +131,7 @@ spec:
             runAsUser: 0
       securityContext:
         fsGroup: 7051
+        runAsGroup: 7051
         runAsNonRoot: true
         runAsUser: 7051
       serviceAccountName: sample

diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml
@@ -70,6 +70,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -117,6 +118,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -199,6 +201,7 @@ spec:
             runAsUser: 0
       securityContext:
         fsGroup: 2000
+        runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
       serviceAccountName: sample
diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml
@@ -80,6 +80,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 7051
             runAsNonRoot: true
             runAsUser: 7051
           startupProbe:
@@ -171,6 +172,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -221,6 +223,7 @@ spec:
               subPath: data
       securityContext:
         fsGroup: 2000
+        runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
       serviceAccountName: sample
diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml
@@ -20,6 +20,7 @@ imagePullPolicy: Always
 securityContext:
   privileged: false
   readOnlyRootFileSystem: false
+  runAsGroup: 7051
   runAsNonRoot: true
   runAsUser: 7051
   capabilities:

diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml
@@ -21,6 +21,7 @@ imagePullPolicy: Always
 securityContext:
   privileged: false
   readOnlyRootFileSystem: false
+  runAsGroup: 5984
   runAsNonRoot: true
   runAsUser: 5984
   capabilities:

diff --git a/definitions/peer/deployment.yaml b/definitions/peer/deployment.yaml
@@ -144,6 +144,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 7051
             runAsNonRoot: true
             runAsUser: 7051
           volumeMounts:
@@ -225,6 +226,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -269,5 +271,6 @@ spec:
               subPath: data
       securityContext:
         fsGroup: 2000
+        runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000