do_lxcapi_create: set umask

Always use 022 as the umask when creating the rootfs directory and executing the template. A too loose umask may cause security issues. A too strict umask may cause programs to fail inside the container. Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>

do_lxcapi_create: set umask
1286c271 · Kaarle Ritvanen · Christian Brauner · 3d872a3f · 1286c271
Unverified Commit 1286c271 authored Apr 15, 2018 by Kaarle Ritvanen Committed by Christian Brauner Aug 23, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

lxccontainer.c src/lxc/lxccontainer.c +4 -0

No files found.
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1601,6 +1601,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
 			     int flags, char *const argv[])
 {
 	int partial_fd;
+	mode_t mask;
 	pid_t pid;
 	bool ret = false;
 	char *tpath = NULL;
@@ -1673,6 +1674,8 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,

 	/* No need to get disk lock bc we have the partial lock. */

+	mask = umask(0022);
+
 	/* Create the storage.
 	 * Note we can't do this in the same task as we use to execute the
 	 * template because of the way zfs works.
@@ -1732,6 +1735,7 @@ static bool do_lxcapi_create(struct lxc_container *c, const char *t,
 	ret = load_config_locked(c, c->configfile);

 out_unlock:
+	umask(mask);
 	if (partial_fd >= 0)
 		remove_partial(c, partial_fd);
 out: