From: Kaarle Ritvanen Date: Sun, 15 Apr 2018 11:50:28 +0000 (+0300) Subject: do_lxcapi_create: set umask X-Git-Tag: lxc-3.1.0~319^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F2279%2Fhead;p=thirdparty%2Flxc.git do_lxcapi_create: set umask Always use 022 as the umask when creating the rootfs directory and executing the template. A too loose umask may cause security issues. A too strict umask may cause programs to fail inside the container. Signed-off-by: Kaarle Ritvanen --- diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 6d41b6cf1..c95fc83a8 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1698,6 +1698,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, int flags, char *const argv[]) { int partial_fd; + mode_t mask; pid_t pid; bool ret = false; char *tpath = NULL; @@ -1770,6 +1771,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, /* No need to get disk lock bc we have the partial lock. */ + mask = umask(0022); + /* Create the storage. * Note we can't do this in the same task as we use to execute the * template because of the way zfs works. @@ -1830,6 +1833,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, ret = load_config_locked(c, c->configfile); out_unlock: + umask(mask); if (partial_fd >= 0) remove_partial(c, partial_fd); out: