Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

remote api with podman 2.0.0 sets permissions of / to 600 instead of 755 #6787

Closed
42wim opened this issue Jun 26, 2020 · 5 comments · Fixed by #6791
Closed

remote api with podman 2.0.0 sets permissions of / to 600 instead of 755 #6787

42wim opened this issue Jun 26, 2020 · 5 comments · Fixed by #6791
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.

Comments

@42wim
Copy link
Contributor

42wim commented Jun 26, 2020
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

Steps to reproduce the issue:

All steps are done as root user on the system.

  1. Enable podman api
podman system service --time=0
  1. Run podman normal:
podman run --rm -ti centos:7 ls -ald /
drwxr-xr-x 1 root root 4096 Jun 26 11:45 /
  1. Run podman remote:
podman run --remote --rm -ti centos:7 ls -ald /
drw------- 1 root root 4096 Jun 26 11:46 /

Describe the results you received:

Root is 600

Describe the results you expected:

Root should be 755

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

Version:      2.0.0
API Version:  1
Go Version:   go1.13.4
Built:        Thu Jan  1 01:00:00 1970
OS/Arch:      linux/amd64

Output of podman info --debug:

host:
  arch: amd64
  buildahVersion: 1.15.0
  cgroupVersion: v1
  conmon:
    package: conmon-2.0.18-1.el8.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.0.18, commit: 993c9938f035967b39e65e46dce6ae7d6cfbb898'
  cpus: 24
  distribution:
    distribution: '"centos"'
    version: "8"
  eventLogger: file
  hostname: icts-p-netconf-3
  idMappings:
    gidmap: null
    uidmap: null
  kernel: 4.18.0-147.8.1.el8_1.x86_64
  linkmode: dynamic
  memFree: 22758936576
  memTotal: 67257278464
  ociRuntime:
    name: runc
    package: runc-1.0.0-64.rc9.module_el8.1.0+298+41f9343a.x86_64
    path: /usr/bin/runc
    version: 'runc version spec: 1.0.1-dev'
  os: linux
  remoteSocket:
    exists: true
    path: /run/podman/podman.sock
  rootless: false
  slirp4netns:
    executable: ""
    package: ""
    version: ""
  swapFree: 2147479552
  swapTotal: 2147479552
  uptime: 673h 35m 10.95s (Approximately 28.04 days)
registries:
  search:
  - registry.access.redhat.com
  - registry.fedoraproject.org
  - registry.centos.org
  - docker.io
store:
  configFile: /etc/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 2
    stopped: 2
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/lib/containers/storage
  graphStatus:
    Backing Filesystem: extfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Using metacopy: "false"
  imageStore:
    number: 20
  runRoot: /var/run/containers/storage
  volumePath: /var/lib/containers/storage/volumes
version:
  APIVersion: 1
  Built: 0
  BuiltTime: Thu Jan  1 01:00:00 1970
  GitCommit: ""
  GoVersion: go1.13.4
  OsArch: linux/amd64
  Version: 2.0.0

Package info (e.g. output of rpm -q podman or apt list podman):

rpm -q podman
podman-2.0.0-2.el8.x86_64
@openshift-ci-robot openshift-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Jun 26, 2020
@42wim 42wim mentioned this issue Jun 26, 2020
Closed
mheon added a commit to mheon/libpod that referenced this issue Jun 26, 2020
@mheon
Ensure umask is set appropriately for 'system service'
f0ca176 
We need a umask of 0022 to ensure containers are created
correctly, but we set a different one prior to starting the
server (to ensure the unix socket has the right permissions).
Thus, we need to set the umask after the socket has been bound,
but before the server begins accepting requests.

Fixes containers#6787

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@mheon mheon mentioned this issue Jun 26, 2020
Merged
@mheon
Copy link
Member

mheon commented Jun 26, 2020

#6791 to fix

@42wim
Copy link
Contributor Author

42wim commented Jun 26, 2020

@mheon this also fixes the /etc/resolv.conf incorrect mask I guess ?

@mheon
Copy link
Member

mheon commented Jun 26, 2020

Have not verified that, let me check

@mheon
Copy link
Member

mheon commented Jun 26, 2020

Looks like it does, permissions match between local and remote now.

@42wim
Copy link
Contributor Author

42wim commented Jun 26, 2020

Tested with your patch, seems to work fine now, thanks!

mheon added a commit to mheon/libpod that referenced this issue Jul 6, 2020
@mheon
Ensure umask is set appropriately for 'system service'
0b7885b 
We need a umask of 0022 to ensure containers are created
correctly, but we set a different one prior to starting the
server (to ensure the unix socket has the right permissions).
Thus, we need to set the umask after the socket has been bound,
but before the server begins accepting requests.

Fixes containers#6787

Signed-off-by: Matthew Heon <matthew.heon@pm.me>
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 23, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Ensure umask is set appropriately for 'system service' mheon/libpod
3 participants
@42wim @mheon @openshift-ci-robot