Skip to content

Commit

Permalink
Fix permission on secrets directory
Browse files Browse the repository at this point in the history
This directory needs to be world searchable so users can access it from
different user namespaces.

Fixes: containers#12779

Signed-off-by: Daniel J Walsh <[email protected]>
  • Loading branch information
rhatdan committed Jan 11, 2022
1 parent 3404ad0 commit 83b0fb4
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 1 deletion.
2 changes: 1 addition & 1 deletion libpod/runtime_ctr.go
Original file line number Diff line number Diff line change
Expand Up @@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
}()

ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
err = os.MkdirAll(ctr.config.SecretsPath, 0644)
err = os.MkdirAll(ctr.config.SecretsPath, 0755)
if err != nil {
return nil, err
}
Expand Down
16 changes: 16 additions & 0 deletions test/system/170-run-userns.bats
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,19 @@ EOF
# Then check that the main user is not mapped into the user namespace
CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
}

@test "podman userns=auto and secrets" {
ns_user="containers"
if is_rootless; then
ns_user=$(id -un)
fi
egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
test_name="test_$(random_string 12)"
secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
secret_content=$(random_string)
echo ${secret_content} > ${secret_file}
run_podman secret create ${test_name} ${secret_file}
run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
is ${output} ${secret_content} "Secrets should work with user namespace"
run_podman secret rm ${test_name}
}

0 comments on commit 83b0fb4

Please sign in to comment.