Description
Please change the file permissions of the soci-snapshotter binary (/usr/bin/soci) to allow execution by non-root users.Currently, the permissions are restricted as follows:
bash-5.2# ls -al /usr/bin/soci
-rwxr--r-- 1 root root 28681048 Jun 16 16:57 /usr/bin/soci
Reason
soci-snapshotter now features a --standalone mode. This mode allows users to build and manipulate OCI images without requiring a container runtime or elevated root privileges.
bash-5.2# soci convert --help
Options:
--standalone run in standalone mode without containerd runtime. In this mode, the command reads an OCI image layout (tar or directory) and writes a converted OCI image layout without requiring a running containerd instance.
Because it can run securely without a containerd instance or root privileges, the executable permission for /usr/bin/soci should be updated to 0755 so that non-root users can utilize this standalone feature.
Since soci does not require SUID or elevated host privileges for this standalone operation, changing the file permission to 0755 is safe and unlocks the full potential of non-root image manipulation.
Description
Please change the file permissions of the soci-snapshotter binary (/usr/bin/soci) to allow execution by non-root users.Currently, the permissions are restricted as follows:
Reason
soci-snapshotter now features a --standalone mode. This mode allows users to build and manipulate OCI images without requiring a container runtime or elevated root privileges.
Because it can run securely without a containerd instance or root privileges, the executable permission for /usr/bin/soci should be updated to 0755 so that non-root users can utilize this standalone feature.
Since
socidoes not require SUID or elevated host privileges for this standalone operation, changing the file permission to0755is safe and unlocks the full potential of non-root image manipulation.