Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Self Hosted Docker Runner created root owned tmp files

Philipp Winterle
Philipp Winterle
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
June 13, 2025

Context

Self hosted docker linux runners created with the given command are creating root owned files in /tmp. 

/tmp is the WORKSPACE directory. 

This is a security issue as this files could lead to permission escalation when in my pipeline is a script which can damage the host. This script can be executed with root rights on the host when the attacker is on the host system. 

What did I try to prevent:

  • used a docker volume so that the WORKSPACE directory is not created on HOST. 
    Result: Did not work as it seems that all of the created docker container from one runner will access those shared /tmp sources
    Suggestion: Fix this in the pipelines runner container to use a shared volume -> easier and without security issues
  • set the user and group ID of the executing user to your host users ID
    Result: Access denied on the docker sockets mounted in the container because the containers created by the runner do now inherit this USER ID
    Suggestion: Runner should use the USERID of itself to create the child containers


I guess the reason for this is the access to the shared /tmp folder. 

Suggestion: Use a anonym docker volume and use it as shared one between the sub containers. Or at least give us the option to do 


Anyone have better ideas?

Answer
Watch
Like Be the first to like this
217 views

0 answers

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
DEPLOYMENT TYPE
CLOUD
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.