From: Kaarle Ritvanen Date: Sun, 15 Apr 2018 11:50:28 +0000 (+0300) Subject: do_lxcapi_create: set umask X-Git-Tag: lxc-2.0.10~172 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1286c27129b1ca6f6c9195fe0c871817fe3cc7ab;p=thirdparty%2Flxc.git do_lxcapi_create: set umask Always use 022 as the umask when creating the rootfs directory and executing the template. A too loose umask may cause security issues. A too strict umask may cause programs to fail inside the container. Signed-off-by: Kaarle Ritvanen --- diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index e63dc264c..2f37854ce 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1601,6 +1601,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, int flags, char *const argv[]) { int partial_fd; + mode_t mask; pid_t pid; bool ret = false; char *tpath = NULL; @@ -1673,6 +1674,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, /* No need to get disk lock bc we have the partial lock. */ + mask = umask(0022); + /* Create the storage. * Note we can't do this in the same task as we use to execute the * template because of the way zfs works. @@ -1732,6 +1735,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, ret = load_config_locked(c, c->configfile); out_unlock: + umask(mask); if (partial_fd >= 0) remove_partial(c, partial_fd); out: