How to prevent self-hosted runners from creating world-writable shm sections?

[billrobertson42]

We are running self-hosted gha runners on RHEL 9.4. They are creating a shared memory section with world-writable permissions. I assume that the runners use this to communicate among themselves. The issue is that the lttng-ust-wait-8 section has world-write permissions, and this is causing security audit issues.

How can I prevent it from doing this? The runner users are all in the same group, so world write permission should not be required. Or is there something in the host machine configuration that should be changed?

If this can’t be changed, does anyone know what it’s using this for? Need to be able to quantify the risk.

$ ll /dev/shm/

-rw-rw-rw- 1 gha-runner-7 gha-runner-7  4096 Feb 20 04:03 lttng-ust-wait-8
-rw-r----- 1 gha-runner-8 gha-runner-8  4096 Feb 20 04:03 lttng-ust-wait-8-558
-rw-r----- 1 gha-runner-7 gha-runner-7  4096 Feb 20 04:03 lttng-ust-wait-8-559
-rw-r----- 1 gha-runner-6 gha-runner-6  4096 Feb 20 04:03 lttng-ust-wait-8-560
-rw-r----- 1 gha-runner-5 gha-runner-5  4096 Feb 20 04:03 lttng-ust-wait-8-561
-rw-r----- 1 gha-runner-4 gha-runner-4  4096 Feb 20 04:03 lttng-ust-wait-8-562
-rw-r----- 1 gha-runner-3 gha-runner-3  4096 Feb 20 04:03 lttng-ust-wait-8-563
-rw-r----- 1 gha-runner-2 gha-runner-2  4096 Feb 20 04:03 lttng-ust-wait-8-564
-rw-r----- 1 gha-runner-1 gha-runner-1  4096 Feb 20 04:03 lttng-ust-wait-8-565