Fix permission on secrets directory

This directory needs to be world searchable so users can access it from different user namespaces. Fixes: https://github.com/containers/podman/issues/12779 Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
2022-01-11 13:51:10 -05:00 · 2022-01-11 13:51:10 -05:00 · 83b0fb4696
parent 3404ad042d
commit 83b0fb4696
2 changed files with 17 additions and 1 deletions
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 	}()

 	ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
-	err = os.MkdirAll(ctr.config.SecretsPath, 0644)
+	err = os.MkdirAll(ctr.config.SecretsPath, 0755)
 	if err != nil {
 		return nil, err
 	}
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@ -78,3 +78,19 @@ EOF
    # Then check that the main user is not mapped into the user namespace
    CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
 }
+
+@test "podman userns=auto and secrets" {
+    ns_user="containers"
+    if is_rootless; then
+        ns_user=$(id -un)
+    fi
+    egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
+    test_name="test_$(random_string 12)"
+    secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
+    secret_content=$(random_string)
+    echo ${secret_content} > ${secret_file}
+    run_podman secret create ${test_name} ${secret_file}
+    run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
+    is ${output} ${secret_content} "Secrets should work with user namespace"
+    run_podman secret rm ${test_name}
+}