if err != nil {
return err
}
- return idtools.MkdirAllAndChown(p, 0700, daemon.idMapping.RootPair())
+ return idtools.MkdirAllAndChown(p, 0701, idtools.CurrentIdentity())
}
}
container.RWLayer = rwLayer
- rootIDs := daemon.idMapping.RootPair()
-
- if err := idtools.MkdirAndChown(container.Root, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAndChown(container.Root, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
- if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAndChown(container.CheckpointDir(), 0700, idtools.CurrentIdentity()); err != nil {
return nil, err
}
}
daemonRepo := filepath.Join(config.Root, "containers")
- if err := idtools.MkdirAllAndChown(daemonRepo, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(daemonRepo, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
return &idtools.IdentityMapping{}, nil
}
-func setupDaemonRoot(config *config.Config, rootDir string, rootIdentity idtools.Identity) error {
+func setupDaemonRoot(config *config.Config, rootDir string, remappedRoot idtools.Identity) error {
config.Root = rootDir
// the docker root metadata directory needs to have execute permissions for all users (g+x,o+x)
// so that syscalls executing as non-root, operating on subdirectories of the graph root
// a new subdirectory with ownership set to the remapped uid/gid (so as to allow
// `chdir()` to work for containers namespaced to that uid/gid)
if config.RemappedRoot != "" {
- config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", rootIdentity.UID, rootIdentity.GID))
+ id := idtools.CurrentIdentity()
+ // First make sure the current root dir has the correct perms.
+ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
+ return errors.Wrapf(err, "could not create or set daemon root permissions: %s", config.Root)
+ }
+
+ config.Root = filepath.Join(rootDir, fmt.Sprintf("%d.%d", remappedRoot.UID, remappedRoot.GID))
logrus.Debugf("Creating user namespaced daemon root: %s", config.Root)
// Create the root directory if it doesn't exist
- if err := idtools.MkdirAllAndChown(config.Root, 0700, rootIdentity); err != nil {
+ if err := idtools.MkdirAllAndChown(config.Root, 0701, id); err != nil {
return fmt.Errorf("Cannot create daemon root: %s: %v", config.Root, err)
}
// we also need to verify that any pre-existing directories in the path to
if dirPath == "/" {
break
}
- if !idtools.CanAccess(dirPath, rootIdentity) {
+ if !idtools.CanAccess(dirPath, remappedRoot) {
return fmt.Errorf("a subdirectory in your graphroot path (%s) restricts access to the remapped root uid/gid; please fix by allowing 'o+x' permissions on existing directories", config.Root)
}
}
locker: locker.New(),
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
+ currentID := idtools.CurrentIdentity()
// Create the root aufs driver dir
- if err := idtools.MkdirAllAndChown(root, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(root, 0701, currentID); err != nil {
return nil, err
}
// Populate the dir structure
for _, p := range paths {
- if err := idtools.MkdirAllAndChown(path.Join(root, p), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Join(root, p), 0701, currentID); err != nil {
return nil, err
}
}
return nil, graphdriver.ErrPrerequisites
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
if err != nil {
return err
}
- if err := idtools.MkdirAllAndChown(subvolumes, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(subvolumes, 0701, idtools.CurrentIdentity()); err != nil {
return err
}
if parent == "" {
if err := d.setStorageSize(path.Join(subvolumes, id), driver); err != nil {
return err
}
- if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(quotas, 0700, idtools.CurrentIdentity()); err != nil {
return err
}
if err := ioutil.WriteFile(path.Join(quotas, id), []byte(fmt.Sprint(driver.options.size)), 0644); err != nil {
logrus.WithField("storage-driver", "overlay").Warn(overlayutils.ErrDTypeNotSupported("overlay", backingFs))
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
// Create the driver home dir
- if err := idtools.MkdirAllAndChown(home, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
}
root := idtools.Identity{UID: rootUID, GID: rootGID}
- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+ currentID := idtools.CurrentIdentity()
+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, currentID); err != nil {
return err
}
- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+ if err := idtools.MkdirAndChown(dir, 0701, currentID); err != nil {
return err
}
// Toplevel images are just a "root" dir
if parent == "" {
+ // This must be 0755 otherwise unprivileged users will in the container will not be able to read / in the container
return idtools.MkdirAndChown(path.Join(dir, "root"), 0755, root)
}
if err := idtools.MkdirAndChown(path.Join(dir, "work"), 0700, root); err != nil {
return err
}
- return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0666)
+ return ioutil.WriteFile(path.Join(dir, "lower-id"), []byte(parent), 0600)
}
// Otherwise, copy the upper and the lower-id from the parent
return err
}
- if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0666); err != nil {
+ if err := ioutil.WriteFile(path.Join(dir, "lower-id"), lowerID, 0600); err != nil {
return err
}
logger.Warn(overlayutils.ErrDTypeNotSupported("overlay2", backingFs))
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, err
- }
- // Create the driver home dir
- if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Join(home, linkDir), 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
return err
}
root := idtools.Identity{UID: rootUID, GID: rootGID}
+ current := idtools.CurrentIdentity()
- if err := idtools.MkdirAllAndChown(path.Dir(dir), 0700, root); err != nil {
+ if err := idtools.MkdirAllAndChown(path.Dir(dir), 0701, current); err != nil {
return err
}
- if err := idtools.MkdirAndChown(dir, 0700, root); err != nil {
+ if err := idtools.MkdirAndChown(dir, 0701, current); err != nil {
return err
}
home: home,
idMapping: idtools.NewIDMappingsFromMaps(uidMaps, gidMaps),
}
- rootIDs := d.idMapping.RootPair()
- if err := idtools.MkdirAllAndChown(home, 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(home, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
func (d *Driver) create(id, parent string, size uint64) error {
dir := d.dir(id)
rootIDs := d.idMapping.RootPair()
- if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0700, rootIDs); err != nil {
+ if err := idtools.MkdirAllAndChown(filepath.Dir(dir), 0701, idtools.CurrentIdentity()); err != nil {
return err
}
if err := idtools.MkdirAndChown(dir, 0755, rootIDs); err != nil {
return nil, fmt.Errorf("BUG: zfs get all -t filesystem -rHp '%s' should contain '%s'", options.fsName, options.fsName)
}
- rootUID, rootGID, err := idtools.GetRootUIDGID(uidMaps, gidMaps)
- if err != nil {
- return nil, fmt.Errorf("Failed to get root uid/guid: %v", err)
- }
- if err := idtools.MkdirAllAndChown(base, 0700, idtools.Identity{UID: rootUID, GID: rootGID}); err != nil {
+ if err := idtools.MkdirAllAndChown(base, 0701, idtools.CurrentIdentity()); err != nil {
return nil, fmt.Errorf("Failed to create '%s': %v", base, err)
}
func New(scope string, rootIdentity idtools.Identity) (*Root, error) {
rootDirectory := filepath.Join(scope, volumesPathName)
- if err := idtools.MkdirAllAndChown(rootDirectory, 0700, rootIdentity); err != nil {
+ if err := idtools.MkdirAllAndChown(rootDirectory, 0701, idtools.CurrentIdentity()); err != nil {
return nil, err
}
}
path := r.DataPath(name)
+ volRoot := filepath.Dir(path)
+ // Root dir does not need to be accessed by the remapped root
+ if err := idtools.MkdirAllAndChown(volRoot, 0701, idtools.CurrentIdentity()); err != nil {
+ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume root path '%s'", volRoot)
+ }
+
+ // Remapped root does need access to the data path
if err := idtools.MkdirAllAndChown(path, 0755, r.rootIdentity); err != nil {
- return nil, errors.Wrapf(errdefs.System(err), "error while creating volume path '%s'", path)
+ return nil, errors.Wrapf(errdefs.System(err), "error while creating volume data path '%s'", path)
}
var err error
projects / docker.io.git / commitdiff