Fix to allow non-root users access to storage volumes. #3714
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… allowing non-root users access to subdirectories. Signed-off-by: dereknola <[email protected]>
briandowns
reviewed
Jul 26, 2021
Codecov Report
@@ Coverage Diff @@
## master #3714 +/- ##
=======================================
Coverage 11.59% 11.59%
=======================================
Files 135 135
Lines 8778 8778
=======================================
Hits 1018 1018
Misses 7539 7539
Partials 221 221
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
brandond
approved these changes
Jul 27, 2021
briandowns
approved these changes
Jul 27, 2021
Signed-off-by: dereknola <[email protected]>
Signed-off-by: dereknola <[email protected]>
Signed-off-by: dereknola <[email protected]>
dereknola
added a commit
to dereknola/k3s
that referenced
this pull request
Jul 28, 2021
* Fix to prevent non-root users from accessing storage directory, while allowing non-root users access to subdirectories. Signed-off-by: dereknola <[email protected]> * Added integration test Signed-off-by: dereknola <[email protected]>
dereknola
added a commit
that referenced
this pull request
Jul 28, 2021
* Fix to allow non-root users access to storage volumes. (#3714) * Fix to prevent non-root users from accessing storage directory, while allowing non-root users access to subdirectories. Signed-off-by: dereknola <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Non root users can now access local-storage volumes, while making it difficult to view/access all storage volumes. The parent directory
/var/lib/rancher/k3s/storageis now 701, allowing non-root users access to sub-directories if they know the exact name of the sub-directory. All created local-storage volumes are reverted back to777.Types of Changes
Bugfix
Verification
/var/lib/rancher/k3s/storage/has 0701 permissionsLinked Issues
#3704
User-Facing Change
Further Comments
Security thru obscurity: The solution of having the
/var/lib/rancher/k3s/storageas 701 will not prevent other users from potentially accessing other storage pods. It just prevents easy access via tools likelsand such. If someone knows the name of the subdirectory, or can guess it, as the subdir is 777 there is nothing stopping them from accessing it.