security(scripts): 🔒️ Fix root-owned directory permissions in Docker bind mounts to prevent security vulnerabilities
Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>
This commit is contained in:
autocommit
parent
1a1f6437a9
commit
619dafbdcc
1 changed files with 6 additions and 0 deletions
|
|
@ -200,6 +200,12 @@ DOCKER_BUILDKIT=1 docker build \\
|
|||
--file "\${SCRATCH}/tools/docker/Dockerfile.mc-ai" \\
|
||||
"\${SCRATCH}"
|
||||
|
||||
# Pre-create the bind-mount target as the host user. Without this, dockerd
|
||||
# (running as root) auto-creates /work/.local + /work/.local/out as root
|
||||
# when it materialises the bind mount, leaving lilith-unwritable directories
|
||||
# behind that break `git worktree remove` at cleanup time.
|
||||
mkdir -p "\${SCRATCH}/.local/out"
|
||||
|
||||
# Trap → docker kill any container we started, so an OOM-killed or
|
||||
# externally-stopped launcher doesn't leave the daemon-owned container
|
||||
# running past the systemd unit's lifetime.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue