From 51f0f73b4f34bdccc9194c126f267b92a092d968 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Sun, 15 Apr 2018 14:50:28 +0300 Subject: [PATCH] do_lxcapi_create: set umask Always use 022 as the umask when creating the rootfs directory and executing the template. A too loose umask may cause security issues. A too strict umask may cause programs to fail inside the container. Signed-off-by: Kaarle Ritvanen --- src/lxc/lxccontainer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 6d41b6cf1..c95fc83a8 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -1698,6 +1698,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, int flags, char *const argv[]) { int partial_fd; + mode_t mask; pid_t pid; bool ret = false; char *tpath = NULL; @@ -1770,6 +1771,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, /* No need to get disk lock bc we have the partial lock. */ + mask = umask(0022); + /* Create the storage. * Note we can't do this in the same task as we use to execute the * template because of the way zfs works. @@ -1830,6 +1833,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t, ret = load_config_locked(c, c->configfile); out_unlock: + umask(mask); if (partial_fd >= 0) remove_partial(c, partial_fd); out: -- 2.47.2