Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix permissions for resolv.conf and hosts #3708

Merged
merged 1 commit into from
Dec 2, 2024
Merged

Fix permissions for resolv.conf and hosts #3708

merged 1 commit into from
Dec 2, 2024

Conversation

apostasie
Copy link
Contributor

@apostasie apostasie commented Dec 2, 2024
edited
Loading

WriteFile permissions are before umask is applied. For people using aggressive umasks (0077), /etc/resolv.conf will end-up unreadable for non root processes.

Fix #3704

@apostasie
Copy link
Contributor Author

Note: we should yank out every and all filesystem direct access away.

The Store interface did a lot of that already, and did solve atomicity and concurrency, but this is yet another proof that letting people use the filesystem directly is almost always a mistake and we should provide safer abstractions instead.

@apostasie
Copy link
Contributor Author

Looks like logs are still not reliable (https://github.com/containerd/nerdctl/actions/runs/12112797262/job/33766787978?pr=3708#step:7:549).

@AkihiroSuda can you restart test / rootful | v2.0.0 | arm64-8core-32gb (pull_request) ?

Thanks.

@apostasie apostasie marked this pull request as ready for review December 2, 2024 05:10
AkihiroSuda
AkihiroSuda reviewed Dec 2, 2024
View reviewed changes
pkg/dnsutil/hostsstore/hostsstore.go
@@ -114,6 +114,9 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {
if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {
return errors.Join(store.ErrSystemFailure, err)
}
if err = os.Chmod(loc, 0o644); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment to explain why 0o644 in the arg of WriteFile doesn't take an expected effect?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

AkihiroSuda
AkihiroSuda reviewed Dec 2, 2024
View reviewed changes
pkg/dnsutil/hostsstore/hostsstore.go
@@ -175,6 +178,9 @@ func (x *hostsStore) AllocHostsFile(id string, content []byte) (location string,
if err != nil {
err = errors.Join(store.ErrSystemFailure, err)
}
if err = os.Chmod(loc, 0o644); err != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

AkihiroSuda
AkihiroSuda reviewed Dec 2, 2024
View reviewed changes
pkg/resolvconf/resolvconf.go
return nil, err
}

return &File{Content: content.Bytes(), Hash: hash}, os.Chmod(path, 0o644)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

@AkihiroSuda AkihiroSuda added this to the v2.1.0 milestone Dec 2, 2024
@AkihiroSuda AkihiroSuda mentioned this pull request Dec 2, 2024
Closed
AkihiroSuda
AkihiroSuda reviewed Dec 2, 2024
View reviewed changes
pkg/dnsutil/hostsstore/hostsstore.go Outdated
@@ -114,6 +114,10 @@ func (x *hostsStore) Acquire(meta Meta) (err error) {
if err = os.WriteFile(loc, []byte{}, 0o644); err != nil {
return errors.Join(store.ErrSystemFailure, err)
}
// See https://www.man7.org/linux/man-pages/man2/open.2.html
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't explain how the umask rule differs across Go's os.WriteFile and os.Chmod

Copy link
Contributor Author

@apostasie apostasie Dec 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No chmod implementation (system or language) would ever change the provided mode to account for umask - that would not make sense.

As for WriteFile, it calls syscall.Open underneath - and Open behavior wrt umask is covered in the man page.

Anyhow, changed the comment.

@apostasie
Fix permissions for resolv.conf and hosts
442b01d 
WriteFile uses syscall.Open, so permissions are modified by umask, if set.
For people using agressive umasks (0077), /etc/resolv.conf will end-up unreadable for non root processes.

See containerd#3704

Signed-off-by: apostasie <[email protected]>
AkihiroSuda
AkihiroSuda approved these changes Dec 2, 2024
View reviewed changes
Copy link
Member

@AkihiroSuda AkihiroSuda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@AkihiroSuda AkihiroSuda merged commit 6e4afb4 into containerd:main Dec 2, 2024
30 checks passed
@github-actions github-actions bot mentioned this pull request Dec 8, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.0.1
Development

Successfully merging this pull request may close these issues.

/etc/resolv.conf is not mounted with the correct permissions when the host has a umask 0077
2 participants
@apostasie @AkihiroSuda