The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2279

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
Always use 022 as the umask when creating the rootfs directory and
executing the template. A too loose umask may cause security issues.
A too strict umask may cause programs to fail inside the container.
From 32679a2f2da72cc1d598de63c46d63e1bbe67f99 Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritva...@datakunkku.fi>
Date: Sun, 15 Apr 2018 14:50:28 +0300
Subject: [PATCH] do_lxcapi_create: set umask

Always use 022 as the umask when creating the rootfs directory and
executing the template. A too loose umask may cause security issues.
A too strict umask may cause programs to fail inside the container.
---
 src/lxc/lxccontainer.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index 6d41b6cf1..c95fc83a8 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1698,6 +1698,7 @@ static bool do_lxcapi_create(struct lxc_container *c, 
const char *t,
                             int flags, char *const argv[])
 {
        int partial_fd;
+       mode_t mask;
        pid_t pid;
        bool ret = false;
        char *tpath = NULL;
@@ -1770,6 +1771,8 @@ static bool do_lxcapi_create(struct lxc_container *c, 
const char *t,
 
        /* No need to get disk lock bc we have the partial lock. */
 
+       mask = umask(0022);
+
        /* Create the storage.
         * Note we can't do this in the same task as we use to execute the
         * template because of the way zfs works.
@@ -1830,6 +1833,7 @@ static bool do_lxcapi_create(struct lxc_container *c, 
const char *t,
        ret = load_config_locked(c, c->configfile);
 
 out_unlock:
+       umask(mask);
        if (partial_fd >= 0)
                remove_partial(c, partial_fd);
 out:
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel

Reply via email to