From 7d3f92bd512e29f5768e26fed201b8b6da3c7e5d Mon Sep 17 00:00:00 2001 From: liqiang-fit2cloud Date: Wed, 19 Nov 2025 14:32:05 +0800 Subject: [PATCH] fix: fix incorrect permission may introduce security vulnerabilities. --- apps/common/utils/tool_code.py | 11 ++++------- installer/Dockerfile-base | 2 +- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py index e006e2ddf..34eb2e130 100644 --- a/apps/common/utils/tool_code.py +++ b/apps/common/utils/tool_code.py @@ -36,13 +36,10 @@ class ToolExecutor: if ToolExecutor._dir_initialized: # 只初始化一次 return - if self.sandbox: - os.system(f"chown {self.user}:root {self.sandbox_path}") - os.chmod(self.sandbox_path, 0o550) - if CONFIG.get("SANDBOX_TMP_DIR_ENABLED", '0') == "1": - tmp_dir_path = os.path.join(self.sandbox_path, 'tmp') - os.makedirs(tmp_dir_path, 0o700, exist_ok=True) - os.system(f"chown -R {self.user}:root {tmp_dir_path}") + if CONFIG.get("SANDBOX_TMP_DIR_ENABLED", '0') == "1": + tmp_dir_path = os.path.join(self.sandbox_path, 'tmp') + os.makedirs(tmp_dir_path, 0o700, exist_ok=True) + os.system(f"chown -R {self.user}:root {tmp_dir_path}") if os.path.exists(self.sandbox_so_path): os.chmod(self.sandbox_so_path, 0o440) try: diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base index 176809062..09e659b48 100644 --- a/installer/Dockerfile-base +++ b/installer/Dockerfile-base @@ -26,7 +26,7 @@ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \ curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \ mkdir -p /opt/maxkb-app/sandbox && \ useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \ - chown -R sandbox:root /opt/maxkb-app/sandbox && \ + chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \ chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \ chmod g+xr /usr/bin/ld.so && \ chmod g+x /usr/local/bin/python* && \