CMP-3563: Explicitly set /etc/passwd permissions to 644

Author: xiaojiey

Dockerfile.ci

@@ -12,16 +12,16 @@ RUN make manager
 # Step two: containerize compliance-operator
 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
-ENV OPERATOR=/usr/local/bin/compliance-operator \
-    USER_UID=1001 \
-    USER_NAME=compliance-operator
+ENV OPERATOR=/usr/local/bin/compliance-operator
 
 # install operator binary
 COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
 
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
+COPY build/bin/entrypoint /usr/local/bin/entrypoint
+
+# Ensure /etc/passwd has correct permissions (should be 644, not 664)
+RUN chmod 644 /etc/passwd
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001

build/Dockerfile

@@ -11,16 +11,16 @@ RUN make manager
 # Step two: containerize compliance-operator
 FROM registry.access.redhat.com/ubi9/ubi-micro:latest
 
-ENV OPERATOR=/usr/local/bin/compliance-operator \
-    USER_UID=1001 \
-    USER_NAME=compliance-operator
+ENV OPERATOR=/usr/local/bin/compliance-operator
 
 # install operator binary
 COPY --from=builder /go/src/github.com/openshift/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR}
 
-COPY build/bin /usr/local/bin
-RUN  /usr/local/bin/user_setup
+COPY build/bin/entrypoint /usr/local/bin/entrypoint
+
+# Ensure /etc/passwd has correct permissions (should be 644, not 664)
+RUN chmod 644 /etc/passwd
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001

build/bin/entrypoint

@@ -1,12 +1,11 @@
 #!/bin/sh -e
 
 # This is documented here:
-# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+# https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/images/creating-images#use-uid_create-images
 
-if ! whoami &>/dev/null; then
-  if [ -w /etc/passwd ]; then
-    echo "${USER_NAME:-compliance-operator}:x:$(id -u):$(id -g):${USER_NAME:-compliance-operator} user:${HOME}:/sbin/nologin" >> /etc/passwd
-  fi
-fi
+# Since version 4.1 OCP supports arbitrary UIDs without requiring /etc/passwd entries
+# https://docs.redhat.com/en/documentation/openshift_container_platform/4.1/html/images/creating_images
+# The container runs with the UID assigned by the platform, with group 0 (root) membership
+# File permissions are managed through group ownership, not username lookups
 
 exec ${OPERATOR} $@

build/bin/user_setup

@@ -31,19 +31,17 @@ LABEL \
 
 WORKDIR /
 
-# Needed by the user_setup and entrypoint scripts
-ENV OPERATOR_BIN=/usr/local/bin/compliance-operator \
-    USER_NAME=compliance-operator \
-    USER_UID=1001
+ENV OPERATOR_BIN=/usr/local/bin/compliance-operator
 
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/LICENSE /licenses/LICENSE
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/_output/bin/compliance-operator ${OPERATOR_BIN}
-COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/* /usr/local/bin
+COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/build/bin/entrypoint /usr/local/bin/entrypoint
 # This is required for the bundle build.
 COPY --from=builder /go/src/github.com/ComplianceAsCode/compliance-operator/bundle /bundle
 
-RUN  /usr/local/bin/user_setup
+# Ensure /etc/passwd has correct permissions (should be 644, not 664)
+RUN chmod 644 /etc/passwd
 
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
 
-USER ${USER_UID}
+USER 1001