conmon: chmod std files pipes #112
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
simonkrenger
suggested changes
Jan 7, 2020
src/conmon.c
Outdated
|
|
||
| if (slavefd_stderr < 0) | ||
| slavefd_stderr = slavefd_stdout; | ||
| if (dup2(slavefd_stderr, STDERR_FILENO) < 0) | ||
| pexit("Failed to dup over stderr"); | ||
| if (fchmod(STDERR_FILENO, 0777) < 0) | ||
| nwarn("Failed to chown stdout"); |
There was a problem hiding this comment.
Likely copy-paste error, shouldn't the error message read "Failed to chown stderr"?
There was a problem hiding this comment.
thanks for noticing it! Yeah it was a copy-paste error
make sure every user inside of the container can use the standard files. Without the chmod, only root in the container would be able to print to stdout. It went unnoticed with runc, as runc itself corrects these permissions but it should not be the OCI runtime responsibility since conmon is creating these files. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1786449 Signed-off-by: Giuseppe Scrivano <[email protected]>
|
LGTM |
1 similar comment
|
LGTM |
|
Can we get a new conmon release? |
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 7, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restroing the permissive state. Close containers#429
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 7, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state. Close containers#429
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 7, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state. Close containers#429 Signed-off-by: Attila Fazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 7, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state. Close containers#429 Signed-off-by: Attila Fazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 7, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 8, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. 32816bd introduced the tty check for FreeBSD, assuming it is needed there. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 8, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. 32816bd introduced the tty check for FreeBSD, assuming it is needed there. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 9, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. 32816bd introduced a tty check assuming it was introduced to avoid too many warning logs on platfroms where several types are not supported. Instead of tty check using EINVAL check per the review comment. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 9, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. 32816bd introduced a tty check assuming it was introduced to avoid too many warning logs on platfroms where several types are not supported. Instead of tty check using EINVAL check per the review comment. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 9, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. Platforms which has a documented EINVAL usage for fchmod(2) indicates the fd in context is not supporting fchmod(2). In order to not have annoying logs in those cases the warning is omitted. Close containers#429 Signed-off-by: afazekas <[email protected]>
afazekas
added a commit
to afazekas/conmon
that referenced
this pull request
Jun 9, 2023
Since containers#112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. 32816bd introduced a tty check assming it was introduced to avoid too many warning logs on platfroms where several types are not supported. Instead of tty check using error code check per review. Close containers#429 Signed-off-by: afazekas <[email protected]>
haircommander
pushed a commit
that referenced
this pull request
Jun 13, 2023
Since #112 the anonymous pipes are supposed to be more permissive. Restoring the permissive state by default. Platforms which has a documented EINVAL usage for fchmod(2) indicates the fd in context is not supporting fchmod(2). In order to not have annoying logs in those cases the warning is omitted. Close #429 Signed-off-by: afazekas <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
make sure every user inside of the container can use the standard
files. Without the chmod, only root in the container would be able to
print to stdout.
It went unnoticed with runc, as runc itself corrects these permissions
but it should not be the OCI runtime responsibility since conmon is
creating these files.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1786449
Signed-off-by: Giuseppe Scrivano [email protected]