Skip to content

Ubuntu Resolute base image contains world-writable /var/lib/pebble/default directory #7054

New issue
New issue
Open
Open
Ubuntu Resolute base image contains world-writable /var/lib/pebble/default directory#7054
Assignees
lbussell
Labels
area-externalIssues in external projects or services that affect .NET container images
@lbussell

Description

@lbussell
lbussell
opened on Mar 2, 2026

Summary

The ubuntu:resolute base image ships with /var/lib/pebble/default as a world-writable directory without the sticky bit set. This causes the VerifyInsecureFiles test to fail for all 11.0-resolute images (runtime-deps, runtime, aspnet, sdk) across all architectures (amd64, arm64, arm32).

Reproduction

docker run --rm -u root --entrypoint /bin/sh ubuntu:resolute -c \
  "find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \)"

Output:

/var/lib/pebble/default

Impact

The VerifyInsecureFiles test asserts that no world-writable directories (without sticky bit) or world-writable files exist in the image. The /var/lib/pebble/default directory from the upstream Ubuntu Resolute image violates this check.

Current Workaround

The VerifyInsecureFiles test is skipped for unstable/pre-release OS versions. Once Ubuntu Resolute is GA and the base image issue is resolved upstream, the test will automatically re-enable.

Expected Resolution

The upstream ubuntu:resolute base image should either:

  1. Remove the /var/lib/pebble/default directory, or
  2. Set appropriate permissions (remove world-writable bit or add sticky bit)

If the upstream image is not fixed before Resolute goes GA, we will need to add a chmod or rm -rf in our runtime-deps Dockerfile template to remediate the insecure permissions.

Related: #7053

Metadata

Metadata

Assignees

Labels

area-externalIssues in external projects or services that affect .NET container images

Type

No type

Projects

.NET Docker

Status

Sprint

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions