UNCLASSIFIED - NO CUI

Skip to content

Umask Script is Introducting Bashrc Syntax Error

Summary

The scripts/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh script is introducing an unmatched backtick character in /etc/bashrc. This causes a warning to be emitted upon each container startup.

Steps to reproduce

Run the following commands.

$ cd /tmp
$ git clone https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9-minimal.git --branch master
$ cd ubi9-minimal
$ docker build --no-cache --pull -t repo1-ubi9-minimal:local .
$ docker run --rm -it repo1-ubi9-minimal:local

Observe the output of the docker run command results in the /etc/bashrc warning mentioned below.

$ docker run --rm -it repo1-ubi9-minimal:local
bash: /etc/bashrc: line 69: unexpected EOF while looking for matching ``'
bash: /etc/bashrc: line 90: syntax error: unexpected end of file
bash-5.1#

What is the current bug behavior?

On container startup, the following warning is printed:

bash: /etc/bashrc: line 69: unexpected EOF while looking for matching ``'
bash: /etc/bashrc: line 90: syntax error: unexpected end of file

What is the expected correct behavior?

The container does not print a bash syntax error upon startup.

Notice when pulling the RedHat-provided unmodified ubi9-minimal:latest image, there is no warning. Therefore, it must be one of the hardening scripts applied by this project that is introducing the error to /etc/bashrc.

$ docker run --pull always --rm -it redhat/ubi9-minimal:latest
latest: Pulling from redhat/ubi9-minimal
Digest: sha256:b00f7556d64a698aad6cb63bb75b2692f1538926c6f619d6123cbc20a74239ec
Status: Downloaded newer image for redhat/ubi9-minimal:latest
[root@b0f878daf96e /]#

Relevant logs and/or screenshots

Looking at /etc/bashrc, the following is found on lines 68-72:

    # Set default umask 077
    [ `umask 077

    SHELL=/bin/bash

The same lines in the upstream redhat/ubi9-minimal:latest image are as follows.

    # Set default umask for non-login shell only if it is set to 0
    [ `umask` -eq 0 ] && umask 022

    SHELL=/bin/bash

Possible fixes

The regex used in sed in the script https://repo1.dso.mil/dsop/redhat/ubi/9.x/ubi9-minimal/-/blob/master/scripts/xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc.sh?ref_type=heads#L9 is too greedy. It is capturing more than is desired, introducing the syntax error.

Tasks

  • Bug has been identified and corrected within the container

Please read the Iron Bank Documentation for more info

Edited by Steve Guglielmo
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

UNCLASSIFIED - NO CUI