Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

overlay: set permissions on "diff" correctly #772

Merged
merged 1 commit into from Nov 13, 2020
Merged

overlay: set permissions on "diff" correctly #772

merged 1 commit into from Nov 13, 2020

Conversation

nalind
Copy link
Member

@nalind nalind commented Nov 12, 2020

When creating a new layer that has a parent, assign the new layer's "diff" directory the same permissions as the parent layer's "diff" directory, rather than the permissions of the parent of its parent layer's "diff" directory.

Before the recent round of changes, that directory would be initialized with 0700 permissions, so layers created by new code on top of layers created by the older version would be marked 0700, and were not usable by UIDs other than 0.

Spotted in CI tests for buildah that try to use overlay to create containers on top of base images that were imported using a slightly older version of podman, for example https://cirrus-ci.com/task/6024517489262592.

@nalind nalind mentioned this pull request Nov 12, 2020
Merged
@rhatdan
Copy link
Member

rhatdan commented Nov 13, 2020

LGTM
@giuseppe @vrothberg @saschagrunert @TomSweeneyRedHat PTAL

vrothberg
vrothberg reviewed Nov 13, 2020
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

saschagrunert
saschagrunert approved these changes Nov 13, 2020
View reviewed changes
Copy link
Member

@saschagrunert saschagrunert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

giuseppe
giuseppe reviewed Nov 13, 2020
View reviewed changes
drivers/overlay/overlay.go
@@ -631,6 +626,18 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
}
}

perms := defaultPerms
if d.options.forceMask != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should have precedence and override the parent mode

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, yeah, you're right. Changing it.

@nalind
overlay: set permissions on "diff" correctly
a778488 
When creating a new layer that has a parent, assign the new layer's
"diff" directory the same permissions as the parent layer's "diff"
directory, rather than the permissions of the parent of its parent
layer's "diff" directory.

Before the recent round of changes, that directory would be initialized
with 0700 permissions, so layers created by new code on top of layers
created by the older version would be given 0700 permissions, and were
not usable by UIDs other than 0.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
@rhatdan rhatdan merged commit 628ad34 into containers:master Nov 13, 2020
@nalind nalind deleted the overlay-perms branch November 13, 2020 19:16
@nalind nalind mentioned this pull request Jun 8, 2021
Closed
@eriksjolund eriksjolund mentioned this pull request Apr 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giuseppe giuseppe giuseppe left review comments

@vrothberg vrothberg vrothberg left review comments

@saschagrunert saschagrunert saschagrunert approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@nalind @rhatdan @giuseppe @saschagrunert @vrothberg