Merge pull request #2984 from apostasie/main

Fix some /etc/ file permissions (see #2684)
containerd · May 11, 2024 · ec9d9ca · ec9d9ca
2 parents c369663 + 762fe91
commit ec9d9ca
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkg/containerutil/container_network_manager.go b/pkg/containerutil/container_network_manager.go
@@ -398,6 +398,8 @@ func withDedupMounts(mountPath string, defaultSpec oci.SpecOpts) oci.SpecOpts {
 	}
 }
 
+// copyFileContent copies a file and sets world readable permissions on it, regardless of umask.
+// This is used solely for /etc/resolv.conf and /etc/hosts
 func copyFileContent(src string, dst string) error {
 	data, err := os.ReadFile(src)
 	if err != nil {
@@ -407,6 +409,10 @@ func copyFileContent(src string, dst string) error {
 	if err != nil {
 		return err
 	}
+	err = os.Chmod(dst, 0644)
+	if err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -539,6 +545,7 @@ func validateUtsSettings(netOpts types.NetworkOptions) error {
 // Nerdctl-managed datastore and returns the oci.SpecOpts required in the container
 // spec for the file to be mounted under /etc/hostname in the new container.
 // If the hostname is empty, the leading 12 characters of the containerID
+// This sets world readable permissions on /etc/hostname, ignoring umask
 func writeEtcHostnameForContainer(globalOptions types.GlobalCommandOptions, hostname string, containerID string) ([]oci.SpecOpts, error) {
 	if containerID == "" {
 		return nil, fmt.Errorf("container ID is required for setting up hostname file")
@@ -559,6 +566,11 @@ func writeEtcHostnameForContainer(globalOptions types.GlobalCommandOptions, host
 		return nil, err
 	}
 
+	err = os.Chmod(hostnamePath, 0644)
+	if err != nil {
+		return nil, err
+	}
+
 	return []oci.SpecOpts{oci.WithHostname(hostname), withCustomEtcHostname(hostnamePath)}, nil
 }