fix: fix incorrect permission may introduce security vulnerabilities.

liqiang-fit2cloud · liqiang-fit2cloud · commit 7d3f92bd512e · 2025-11-19T14:32:05.000+08:00
diff --git a/apps/common/utils/tool_code.py b/apps/common/utils/tool_code.py
@@ -36,13 +36,10 @@ def _init_dir(self):
         if ToolExecutor._dir_initialized:
             # 只初始化一次
             return
-        if self.sandbox:
-            os.system(f"chown {self.user}:root {self.sandbox_path}")
-            os.chmod(self.sandbox_path, 0o550)
-            if CONFIG.get("SANDBOX_TMP_DIR_ENABLED", '0') == "1":
-                tmp_dir_path = os.path.join(self.sandbox_path, 'tmp')
-                os.makedirs(tmp_dir_path, 0o700, exist_ok=True)
-                os.system(f"chown -R {self.user}:root {tmp_dir_path}")
+        if CONFIG.get("SANDBOX_TMP_DIR_ENABLED", '0') == "1":
+            tmp_dir_path = os.path.join(self.sandbox_path, 'tmp')
+            os.makedirs(tmp_dir_path, 0o700, exist_ok=True)
+            os.system(f"chown -R {self.user}:root {tmp_dir_path}")
         if os.path.exists(self.sandbox_so_path):
             os.chmod(self.sandbox_so_path, 0o440)
         try:
diff --git a/installer/Dockerfile-base b/installer/Dockerfile-base
@@ -26,7 +26,7 @@ RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && \
     curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \
     mkdir -p /opt/maxkb-app/sandbox && \
     useradd --no-create-home --home /opt/maxkb-app/sandbox sandbox -g root && \
-    chown -R sandbox:root /opt/maxkb-app/sandbox && \
+    chown -R sandbox:root /opt/maxkb-app/sandbox && chmod 550 /opt/maxkb-app/sandbox && \
     chmod g-xr /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/17/bin/* && \
     chmod g+xr /usr/bin/ld.so && \
     chmod g+x /usr/local/bin/python* && \
