From: Lennart Poettering Date: Fri, 12 Nov 2021 10:11:27 +0000 (+0100) Subject: namespace: make whole namespace_setup() work regardless of configured umask X-Git-Tag: v250-rc1~290^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cdf42f9bd40ff21a67d58b948efea055d56ad398;p=thirdparty%2Fsystemd.git namespace: make whole namespace_setup() work regardless of configured umask Let's reset the umask during the whole namespace_setup() logic, so that all our mkdir() + mknod() are not subjected to whatever umask might currently be set. This mostly moves the umask save/restore logic out of mount_private_dev() and into the stack frame of namespace_setup() that is further out. Fixes #19899 --- diff --git a/src/core/namespace.c b/src/core/namespace.c index 5d18b26a74a..2239bbfb8aa 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -852,13 +852,10 @@ static int mount_private_dev(MountEntry *m) { char temporary_mount[] = "/tmp/namespace-dev-XXXXXX"; const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL; bool can_mknod = true; - _unused_ _cleanup_umask_ mode_t u; int r; assert(m); - u = umask(0000); - if (!mkdtemp(temporary_mount)) return log_debug_errno(errno, "Failed to create temporary directory '%s': %m", temporary_mount); @@ -1898,6 +1895,10 @@ int setup_namespace( assert(ns_info); + /* Make sure that all mknod(), mkdir() calls we do are unaffected by the umask, and the access modes + * we configure take effect */ + BLOCK_WITH_UMASK(0000); + if (!isempty(propagate_dir) && !isempty(incoming_dir)) setup_propagate = true;