Merge pull request #19714 from rhatdan/umask

podman exec should set umask to match container
2025-05-21 09:05:56 +08:00 · 2023-08-25 14:52:55 +02:00
parent 584c1e70d0 6f284dbd46
commit e916b4e376
3 changed files with 37 additions and 3 deletions
--- a/libpod/container_internal_common.go
+++ b/libpod/container_internal_common.go
@ -477,11 +477,10 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 	}

 	if c.config.Umask != "" {
-		decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+		umask, err := c.umask()
 		if err != nil {
-			return nil, nil, fmt.Errorf("invalid Umask Value: %w", err)
+			return nil, nil, err
 		}
-		umask := uint32(decVal)
 		g.Config.Process.User.Umask = &umask
 	}

@ -2931,3 +2930,11 @@ func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid i
 	}
 	return chown.ChangeHostPathOwnership(src, recurse, uid, gid)
 }
+
+func (c *Container) umask() (uint32, error) {
+	decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+	if err != nil {
+		return 0, fmt.Errorf("invalid Umask Value: %w", err)
+	}
+	return uint32(decVal), nil
+}
--- a/libpod/oci_conmon_exec_common.go
+++ b/libpod/oci_conmon_exec_common.go
@ -743,6 +743,14 @@ func (c *Container) prepareProcessExec(options *ExecOptions, env []string, sessi
 		pspec.User = processUser
 	}

+	if c.config.Umask != "" {
+		umask, err := c.umask()
+		if err != nil {
+			return nil, err
+		}
+		pspec.User.Umask = &umask
+	}
+
 	if err := c.setProcessCapabilitiesExec(options, user, execUser, pspec); err != nil {
 		return nil, err
 	}
--- a/test/system/075-exec.bats
+++ b/test/system/075-exec.bats
@ -148,4 +148,23 @@ load helpers
    run_podman rm -f wait_container
 }

+@test "podman run umask" {
+    test "$(podman_runtime)" == "crun" \
+        || skip "FIXME: runtime is $(podman_runtime); this test requires crun or runc 1.1.7 or newer which is not currently in debian"
+    umask="0724"
+    run_podman run --rm -q $IMAGE grep Umask /proc/self/status
+    is "$output" "Umask:.*0022" "default_umask should not be modified"
+
+    run_podman run -q --rm --umask $umask $IMAGE grep Umask /proc/self/status
+    is "$output" "Umask:.*$umask" "umask should be modified"
+    run_podman run -q -d --umask $umask $IMAGE sleep inf
+    cid=$output
+    run_podman exec $cid grep Umask /proc/self/status
+    is "$output" "Umask:.*$umask" "exec umask should match container umask"
+    run_podman exec $cid sh -c "touch /foo; stat -c '%a' /foo"
+    is "$output" "42" "umask should apply to newly created file"
+
+    run_podman rm -f -t0 $cid
+}
+
 # vim: filetype=sh