fix(docker): harden /app/extensions permissions to 755 (#30191)

* fix(docker): harden /app/extensions permissions to 755 Bundled extension directories shipped as world-writable (mode 777) in the Docker image. The plugin security scanner blocks any world- writable path with: WARN: blocked plugin candidate: world-writable path (/app/extensions/memory-core, mode=777) Add chmod -R 755 /app/extensions in the final USER root RUN step so all bundled extensions are readable but not world-writable. This runs as root before switching back to the node user, matching the pattern already used for chmod 755 /app/openclaw.mjs. Fixes #30139 * fix(docker): normalize plugin and agent path permissions * docs(changelog): add docker permissions entry for #30191 * Update CHANGELOG.md --------- Co-authored-by: Vincent Koc <vincentkoc@ieee.org>
2026-03-12 07:20:45 +00:00 · 2026-03-02 00:45:21 +01:00
parent 9e6e7a3d69
commit 577f2fa540
3 changed files with 16 additions and 0 deletions
--- a/8
+++ b/8
@@ -46,6 +46,14 @@ RUN if [ -n "$OPENCLAW_INSTALL_BROWSER" ]; then \

 USER node
 COPY --chown=node:node . .
+# Normalize copied plugin/agent paths so plugin safety checks do not reject
+# world-writable directories inherited from source file modes.
+RUN for dir in /app/extensions /app/.agent /app/.agents; do \
+      if [ -d "$dir" ]; then \
+        find "$dir" -type d -exec chmod 755 {} +; \
+        find "$dir" -type f -exec chmod 644 {} +; \
+      fi; \
+    done
 RUN pnpm build
 # Force pnpm for UI build (Bun may fail on ARM/Synology architectures)
 ENV OPENCLAW_PREFER_PNPM=1