do_lxcapi_create: set umask

Always use 022 as the umask when creating the rootfs directory and
executing the template. A too loose umask may cause security issues.
A too strict umask may cause programs to fail inside the container.

Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index e63dc264c9db03cd27697f13747eadcb4ebac76a..2f37854ce12ada4a2f70e41e5da24c3739d50d8a 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1601,6 +1601,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
                             int flags, char *const argv[])
 {
        int partial_fd;
+       mode_t mask;
        pid_t pid;
        bool ret = false;
        char *tpath = NULL;
@@ -1673,6 +1674,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
 
        /* No need to get disk lock bc we have the partial lock. */
 
+       mask = umask(0022);
+
        /* Create the storage.
         * Note we can't do this in the same task as we use to execute the
         * template because of the way zfs works.
@@ -1732,6 +1735,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
        ret = load_config_locked(c, c->configfile);
 
 out_unlock:
+       umask(mask);
        if (partial_fd >= 0)
                remove_partial(c, partial_fd);
 out: