podman exec should set umask to match container

Fixes: containers#19713 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
rhatdan · Aug 23, 2023 · a83ae05 · a83ae05
1 parent c07f46e
commit a83ae05
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 3 deletions.
diff --git a/libpod/container_internal_common.go b/libpod/container_internal_common.go
@@ -477,11 +477,10 @@ func (c *Container) generateSpec(ctx context.Context) (s *spec.Spec, cleanupFunc
 	}
 
 	if c.config.Umask != "" {
-		decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+		umask, err := c.umask()
 		if err != nil {
-			return nil, nil, fmt.Errorf("invalid Umask Value: %w", err)
+			return nil, nil, err
 		}
-		umask := uint32(decVal)
 		g.Config.Process.User.Umask = &umask
 	}
 
@@ -2931,3 +2930,11 @@ func (c *Container) ChangeHostPathOwnership(src string, recurse bool, uid, gid i
 	}
 	return chown.ChangeHostPathOwnership(src, recurse, uid, gid)
 }
+
+func (c *Container) umask() (uint32, error) {
+	decVal, err := strconv.ParseUint(c.config.Umask, 8, 32)
+	if err != nil {
+		return 0, fmt.Errorf("invalid Umask Value: %w", err)
+	}
+	return uint32(decVal), nil
+}
diff --git a/libpod/oci_conmon_exec_common.go b/libpod/oci_conmon_exec_common.go
@@ -743,6 +743,14 @@ func (c *Container) prepareProcessExec(options *ExecOptions, env []string, sessi
 		pspec.User = processUser
 	}
 
+	if c.config.Umask != "" {
+		umask, err := c.umask()
+		if err != nil {
+			return nil, err
+		}
+		pspec.User.Umask = &umask
+	}
+
 	if err := c.setProcessCapabilitiesExec(options, user, execUser, pspec); err != nil {
 		return nil, err
 	}

diff --git a/test/system/075-exec.bats b/test/system/075-exec.bats
@@ -148,4 +148,23 @@ load helpers
     run_podman rm -f wait_container
 }
 
+@test "podman run umask" {
+    test "$runtime" == "crun" \
+        || skip "FIXME: runtime is $runtime; this test requires crun or runc 1.1.7 or newer which is not currently in debian"
+    umask="0017"
+    run_podman run --rm -q $IMAGE grep Umask /proc/self/status
+    is "$output" "Umask:.*0022" "default_umask should not be modified"
+
+    run_podman run -q --rm --umask $umask $IMAGE grep Umask /proc/self/status
+    is "$output" "Umask:.*$umask" "umask should be modified"
+    run_podman run -q -d --umask $umask $IMAGE sleep inf
+    cid=$output
+    run_podman exec $cid grep Umask /proc/self/status
+    is "$output" "Umask:.*$umask" "exec umask should match container umask"
+    run_podman exec $cid sh -c "touch /foo; stat -c '%a' /foo"
+    is "$output" "660" "umask should apply to newly created file"
+
+    run_podman rm -f -t0 $cid
+}
+
 # vim: filetype=sh