The tmpfs was mounted with its default mode (1777) which was then picked up by overlayfs/aufs as the target's mode.
This led to a world writable / in ephemeral containers. I have confirmed that this issue doesn't impact lxc-clone. Signed-off-by: Stéphane Graber <[email protected]> --- src/lxc/lxc-start-ephemeral.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in index 822f802..d5690b2 100644 --- a/src/lxc/lxc-start-ephemeral.in +++ b/src/lxc/lxc-start-ephemeral.in @@ -219,7 +219,7 @@ LXC_NAME="%s" fd.write("mkdir -p %s %s\n" % (target, entry[1])) if args.storage_type == "tmpfs": - fd.write("mount -n -t tmpfs none %s\n" % (target)) + fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target)) if args.union_type == "overlayfs": fd.write("mount -n -t overlayfs" -- 1.9.0 _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
