Merge pull request #12813 from rhatdan/secrets

Fix permission on secrets directory
containers · Jan 12, 2022 · 6945b37 · 6945b37
2 parents 8272990 + 83b0fb4
commit 6945b37
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 1 deletion.
diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
@@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 	}()
 
 	ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
-	err = os.MkdirAll(ctr.config.SecretsPath, 0644)
+	err = os.MkdirAll(ctr.config.SecretsPath, 0755)
 	if err != nil {
 		return nil, err
 	}

diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
@@ -78,3 +78,19 @@ EOF
     # Then check that the main user is not mapped into the user namespace
     CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
 }
+
+@test "podman userns=auto and secrets" {
+    ns_user="containers"
+    if is_rootless; then
+        ns_user=$(id -un)
+    fi
+    egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
+    test_name="test_$(random_string 12)"
+    secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
+    secret_content=$(random_string)
+    echo ${secret_content} > ${secret_file}
+    run_podman secret create ${test_name} ${secret_file}
+    run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
+    is ${output} ${secret_content} "Secrets should work with user namespace"
+    run_podman secret rm ${test_name}
+}