From: Stéphane Graber <stgraber@ubuntu.com>
Date: Sun, 23 Feb 2014 00:34:27 +0000 (-0500)
Subject: lxc-start-ephemeral: Set tmpfs mode to 0755
X-Git-Tag: lxc-1.1.0.alpha1~271
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=642d1ccd9852b0adb797d33d1550cf6307cae674;p=thirdparty%2Flxc.git

lxc-start-ephemeral: Set tmpfs mode to 0755

The tmpfs was mounted with its default mode (1777) which was then picked
up by overlayfs/aufs as the target's mode.

This led to a world writable / in ephemeral containers.

I have confirmed that this issue doesn't impact lxc-clone.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>
---

diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in
index 822f80278..d5690b234 100644
--- a/src/lxc/lxc-start-ephemeral.in
+++ b/src/lxc/lxc-start-ephemeral.in
@@ -219,7 +219,7 @@ LXC_NAME="%s"
         fd.write("mkdir -p %s %s\n" % (target, entry[1]))
 
         if args.storage_type == "tmpfs":
-            fd.write("mount -n -t tmpfs none %s\n" % (target))
+            fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target))
 
         if args.union_type == "overlayfs":
             fd.write("mount -n -t overlayfs"