Allow /etc/containers/containers.conf to be read by non-root

If a root user writes to a config using Write(), and there is not already an /etc/containers/containers.conf, Write() will create it. This config file also needs to be read by non-root podman. Signed-off-by: Ashley Cui <[email protected]>
vrothberg · Jun 23, 2021 · 9082857 · 9082857
1 parent 99ee78d
commit 9082857
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -981,7 +981,7 @@ func (c *Config) Write() error {
 	if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
 		return err
 	}
-	configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0600)
+	configFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR|os.O_TRUNC, 0644)
 	if err != nil {
 		return err
 	}

diff --git a/pkg/config/config_local_test.go b/pkg/config/config_local_test.go
@@ -276,6 +276,11 @@ var _ = Describe("Config Local", func() {
 		err = config.Write()
 		// Then
 		gomega.Expect(err).To(gomega.BeNil())
+		fi, err := os.Stat(tmpfile)
+		gomega.Expect(err).To(gomega.BeNil())
+		perm := int(fi.Mode().Perm())
+		// 436 decimal = 644 octal
+		gomega.Expect(perm).To(gomega.Equal(420))
 		defer os.Remove(tmpfile)
 	})
 	It("Default Umask", func() {