opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-21 17:16:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19714 from rhatdan/umask

Browse Source 
podman exec should set umask to match container
This commit is contained in:
OpenShift Merge Robot
2023-08-25 14:52:55 +02:00
committed by GitHub
parent 584c1e70d0 6f284dbd46
commit e916b4e376
3 changed files with 37 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
libpod/container_internal_common.go
View File

@ -477,11 +477,10 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
} }
if c.config.Umask != "" { if c.config.Umask != "" {
decVal, err := strconv.ParseUint(c.config.Umask, 8, 32) umask, err := c.umask()
if err != nil { if err != nil {
return nil, nil, fmt.Errorf("invalid Umask Value: %w", err) return nil, nil, err
} }
umask := uint32(decVal)
g.Config.Process.User.Umask = &umask g.Config.Process.User.Umask = &umask
} }
@ -2931,3 +2930,11 @@ func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid i
} }
return chown.ChangeHostPathOwnership(src, recurse, uid, gid) return chown.ChangeHostPathOwnership(src, recurse, uid, gid)
} }
func (c *Container) umask() (uint32, error) {
decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
if err != nil {
return 0, fmt.Errorf("invalid Umask Value: %w", err)
}
return uint32(decVal), nil
}

8
libpod/oci_conmon_exec_common.go
View File

@ -743,6 +743,14 @@ func (c *Container) prepareProcessExec(options *ExecOptions, env []string, sessi
pspec.User = processUser pspec.User = processUser
} }
if c.config.Umask != "" {
umask, err := c.umask()
if err != nil {
return nil, err
}
pspec.User.Umask = &umask
}
if err := c.setProcessCapabilitiesExec(options, user, execUser, pspec); err != nil { if err := c.setProcessCapabilitiesExec(options, user, execUser, pspec); err != nil {
return nil, err return nil, err
} }

19
test/system/075-exec.bats
View File

@ -148,4 +148,23 @@ load helpers
run_podman rm -f wait_container run_podman rm -f wait_container
} }
@test "podman run umask" {
test "$(podman_runtime)" == "crun" \
|| skip "FIXME: runtime is $(podman_runtime); this test requires crun or runc 1.1.7 or newer which is not currently in debian"
umask="0724"
run_podman run --rm -q $IMAGE grep Umask /proc/self/status
is "$output" "Umask:.*0022" "default_umask should not be modified"
run_podman run -q --rm --umask $umask $IMAGE grep Umask /proc/self/status
is "$output" "Umask:.*$umask" "umask should be modified"
run_podman run -q -d --umask $umask $IMAGE sleep inf
cid=$output
run_podman exec $cid grep Umask /proc/self/status
is "$output" "Umask:.*$umask" "exec umask should match container umask"
run_podman exec $cid sh -c "touch /foo; stat -c '%a' /foo"
is "$output" "42" "umask should apply to newly created file"
run_podman rm -f -t0 $cid
}
# vim: filetype=sh # vim: filetype=sh