Fix Insecure File Permissions (#175)

asararatnakar · Shoaeb Jindani · commit 6ebcc7ef90e2 · 2024-03-21T11:41:38.000+05:30
Changes to disable read and write permissions to the group user

Signed-off-by: asararatnakar &lt;asara.ratnakar@gmail.com&gt;
Signed-off-by: Shoaeb Jindani &lt;jindani.shoaeb@ibm.com&gt;
diff --git a/definitions/ca/deployment.yaml b/definitions/ca/deployment.yaml
@@ -82,6 +82,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 7051
             runAsNonRoot: true
             runAsUser: 7051
           volumeMounts:
@@ -130,6 +131,7 @@ spec:
             runAsUser: 0
       securityContext:
         fsGroup: 7051
+        runAsGroup: 7051
         runAsNonRoot: true
         runAsUser: 7051
       serviceAccountName: sample
diff --git a/definitions/console/deployment.yaml b/definitions/console/deployment.yaml
@@ -70,6 +70,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -117,6 +118,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -199,6 +201,7 @@ spec:
             runAsUser: 0
       securityContext:
         fsGroup: 2000
+        runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
       serviceAccountName: sample
diff --git a/definitions/orderer/deployment.yaml b/definitions/orderer/deployment.yaml
@@ -80,6 +80,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 7051
             runAsNonRoot: true
             runAsUser: 7051
           startupProbe:
@@ -171,6 +172,7 @@ spec:
                 - ALL
             privileged: false
             readOnlyRootFilesystem: false
+            runAsGroup: 1000
             runAsNonRoot: true
             runAsUser: 1000
           volumeMounts:
@@ -221,6 +223,7 @@ spec:
               subPath: data
       securityContext:
         fsGroup: 2000
+        runAsGroup: 1000
         runAsNonRoot: true
         runAsUser: 1000
       serviceAccountName: sample
diff --git a/definitions/peer/chaincode-launcher.yaml b/definitions/peer/chaincode-launcher.yaml
@@ -20,6 +20,7 @@ imagePullPolicy: Always
 securityContext:
   privileged: false
   readOnlyRootFileSystem: false
+  runAsGroup: 7051
   runAsNonRoot: true
   runAsUser: 7051
   capabilities:
diff --git a/definitions/peer/couchdb.yaml b/definitions/peer/couchdb.yaml
@@ -21,6 +21,7 @@ imagePullPolicy: Always
 securityContext:
   privileged: false
   readOnlyRootFileSystem: false
+  runAsGroup: 5984
   runAsNonRoot: true
   runAsUser: 5984
   capabilities:
