github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 06:54:01 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #61284 from jsafrane/fix-fsgroup-subpath

Browse Source 
Automatic merge from submit-queue (batch tested with PRs 61284, 61119, 61201). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Fix creation of subpath with SUID/SGID directories.

SafeMakeDir() should apply SUID/SGID/sticky bits to the directory it creates.

Fixes #61283 

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue 2018-03-16 16:55:57 -07:00 committed by GitHub
commit f125152212
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 68 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/util/mount/mount_linux.go
View File

@ -1032,7 +1032,19 @@ func doSafeMakeDir(pathname string, base string, perm os.FileMode) error {
// so user can read/write it. This is the behavior of previous code. // so user can read/write it. This is the behavior of previous code.
// TODO: chmod all created directories, not just the last one. // TODO: chmod all created directories, not just the last one.
// parentFD is the last created directory. // parentFD is the last created directory.
if err = syscall.Fchmod(parentFD, uint32(perm)&uint32(os.ModePerm)); err != nil {
// Translate perm (os.FileMode) to uint32 that fchmod() expects
kernelPerm := uint32(perm & os.ModePerm)
if perm&os.ModeSetgid > 0 {
kernelPerm |= syscall.S_ISGID
}
if perm&os.ModeSetuid > 0 {
kernelPerm |= syscall.S_ISUID
}
if perm&os.ModeSticky > 0 {
kernelPerm |= syscall.S_ISVTX
}
if err = syscall.Fchmod(parentFD, kernelPerm); err != nil {
return fmt.Errorf("chmod %q failed: %s", currentPath, err) return fmt.Errorf("chmod %q failed: %s", currentPath, err)
} }
return nil return nil

56
pkg/util/mount/mount_linux_test.go
View File

@ -418,7 +418,7 @@ func TestPathWithinBase(t *testing.T) {
} }
func TestSafeMakeDir(t *testing.T) { func TestSafeMakeDir(t *testing.T) {
defaultPerm := os.FileMode(0750) defaultPerm := os.FileMode(0750) + os.ModeDir
tests := []struct { tests := []struct {
name string name string
// Function that prepares directory structure for the test under given // Function that prepares directory structure for the test under given
@ -426,6 +426,7 @@ func TestSafeMakeDir(t *testing.T) {
prepare func(base string) error prepare func(base string) error
path string path string
checkPath string checkPath string
perm os.FileMode
expectError bool expectError bool
}{ }{
{ {
@ -435,6 +436,37 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"test/directory", "test/directory",
defaultPerm,
false,
},
{
"directory-with-sgid",
func(base string) error {
return nil
},
"test/directory",
"test/directory",
os.FileMode(0777) + os.ModeDir + os.ModeSetgid,
false,
},
{
"directory-with-suid",
func(base string) error {
return nil
},
"test/directory",
"test/directory",
os.FileMode(0777) + os.ModeDir + os.ModeSetuid,
false,
},
{
"directory-with-sticky-bit",
func(base string) error {
return nil
},
"test/directory",
"test/directory",
os.FileMode(0777) + os.ModeDir + os.ModeSticky,
false, false,
}, },
{ {
@ -444,6 +476,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"test/directory", "test/directory",
defaultPerm,
false, false,
}, },
{ {
@ -453,6 +486,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"", "",
"", "",
defaultPerm,
false, false,
}, },
{ {
@ -462,6 +496,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"..", "..",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -471,6 +506,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/../../..", "test/../../..",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -483,6 +519,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"destination/directory", "destination/directory",
defaultPerm,
false, false,
}, },
{ {
@ -492,6 +529,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -514,6 +552,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test1/dir/dir/dir/dir/dir/dir/dir/foo", "test1/dir/dir/dir/dir/dir/dir/dir/foo",
"test2/foo", "test2/foo",
defaultPerm,
false, false,
}, },
{ {
@ -523,6 +562,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -532,6 +572,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -541,6 +582,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test", "test",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -556,6 +598,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"dir/test", "dir/test",
"", "",
defaultPerm,
false, false,
}, },
{ {
@ -568,6 +611,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"dir/test", "dir/test",
"", "",
defaultPerm,
true, true,
}, },
{ {
@ -577,6 +621,7 @@ func TestSafeMakeDir(t *testing.T) {
}, },
"test/directory", "test/directory",
"", "",
defaultPerm,
true, true,
}, },
} }
@ -589,7 +634,7 @@ func TestSafeMakeDir(t *testing.T) {
} }
test.prepare(base) test.prepare(base)
pathToCreate := filepath.Join(base, test.path) pathToCreate := filepath.Join(base, test.path)
err = doSafeMakeDir(pathToCreate, base, defaultPerm) err = doSafeMakeDir(pathToCreate, base, test.perm)
if err != nil && !test.expectError { if err != nil && !test.expectError {
t.Errorf("test %q: %s", test.name, err) t.Errorf("test %q: %s", test.name, err)
} }
@ -601,14 +646,17 @@ func TestSafeMakeDir(t *testing.T) {
} }
if test.checkPath != "" { if test.checkPath != "" {
if _, err := os.Stat(filepath.Join(base, test.checkPath)); err != nil { st, err := os.Stat(filepath.Join(base, test.checkPath))
if err != nil {
t.Errorf("test %q: cannot read path %s", test.name, test.checkPath) t.Errorf("test %q: cannot read path %s", test.name, test.checkPath)
} }
if st.Mode() != test.perm {
t.Errorf("test %q: expected permissions %o, got %o", test.name, test.perm, st.Mode())
}
} }
os.RemoveAll(base) os.RemoveAll(base)
} }
} }
func validateDirEmpty(dir string) error { func validateDirEmpty(dir string) error {

4
test/e2e/common/empty_dir.go
View File

@ -41,7 +41,7 @@ var (
var _ = Describe("[sig-storage] EmptyDir volumes", func() { var _ = Describe("[sig-storage] EmptyDir volumes", func() {
f := framework.NewDefaultFramework("emptydir") f := framework.NewDefaultFramework("emptydir")
Context("when FSGroup is specified [Feature:FSGroup]", func() { Context("when FSGroup is specified", func() {
It("new files should be created with FSGroup ownership when container is root", func() { It("new files should be created with FSGroup ownership when container is root", func() {
doTestSetgidFSGroup(f, testImageRootUid, v1.StorageMediumMemory) doTestSetgidFSGroup(f, testImageRootUid, v1.StorageMediumMemory)
}) })
@ -252,6 +252,7 @@ func doTestSubPathFSGroup(f *framework.Framework, image string, medium v1.Storag
fmt.Sprintf("--fs_type=%v", volumePath), fmt.Sprintf("--fs_type=%v", volumePath),
fmt.Sprintf("--file_perm=%v", volumePath), fmt.Sprintf("--file_perm=%v", volumePath),
fmt.Sprintf("--file_owner=%v", volumePath), fmt.Sprintf("--file_owner=%v", volumePath),
fmt.Sprintf("--file_mode=%v", volumePath),
} }
pod.Spec.Containers[0].VolumeMounts[0].SubPath = subPath pod.Spec.Containers[0].VolumeMounts[0].SubPath = subPath
@ -264,6 +265,7 @@ func doTestSubPathFSGroup(f *framework.Framework, image string, medium v1.Storag
"perms of file \"/test-volume\": -rwxrwxrwx", "perms of file \"/test-volume\": -rwxrwxrwx",
"owner UID of \"/test-volume\": 0", "owner UID of \"/test-volume\": 0",
"owner GID of \"/test-volume\": 123", "owner GID of \"/test-volume\": 123",
"mode of file \"/test-volume\": dgtrwxrwxrwx",
} }
if medium == v1.StorageMediumMemory { if medium == v1.StorageMediumMemory {
out = append(out, "mount type of \"/test-volume\": tmpfs") out = append(out, "mount type of \"/test-volume\": tmpfs")