Merge pull request #451 from cloudfoundry/g306-fix

Fix file/dir creation permissions
cloudfoundry · Sep 16, 2024 · cd421f9 · cd421f9
2 parents 87e1e97 + 27f29b6
commit cd421f9
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 18 deletions.
diff --git a/gqt/cmd/fake_image_plugin/main.go b/gqt/cmd/fake_image_plugin/main.go
@@ -143,15 +143,15 @@ var CreateCommand = cli.Command{
 
 		argsFile := ctx.String("args-path")
 		if argsFile != "" {
-			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0777)
+			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0644)
 			if err != nil {
 				panic(err)
 			}
 		}
 
 		whoamiFile := ctx.String("create-whoami-path")
 		if whoamiFile != "" {
-			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0777)
+			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0644)
 			if err != nil {
 				panic(err)
 			}
@@ -164,7 +164,7 @@ var CreateCommand = cli.Command{
 				panic(err)
 			}
 
-			err = os.WriteFile(binLocationFile, []byte(executable), 0777)
+			err = os.WriteFile(binLocationFile, []byte(executable), 0644)
 			if err != nil {
 				panic(err)
 			}
@@ -173,7 +173,7 @@ var CreateCommand = cli.Command{
 		rootfsPath := ctx.String("rootfs-path")
 		if rootfsPath != "" {
 			rootFSPath := filepath.Join(rootfsPath, "rootfs")
-			if err := os.MkdirAll(rootFSPath, 0777); err != nil {
+			if err := os.MkdirAll(rootFSPath, 0755); err != nil {
 				panic(err)
 			}
 		}
@@ -237,15 +237,15 @@ var DeleteCommand = cli.Command{
 
 		argsFile := ctx.String("args-path")
 		if argsFile != "" {
-			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0777)
+			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0644)
 			if err != nil {
 				panic(err)
 			}
 		}
 
 		whoamiFile := ctx.String("destroy-whoami-path")
 		if whoamiFile != "" {
-			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0777)
+			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0644)
 			if err != nil {
 				panic(err)
 			}
@@ -264,7 +264,7 @@ var DeleteCommand = cli.Command{
 			}
 			f.Close()
 
-			f, err = os.OpenFile(binLocationFile, os.O_APPEND|os.O_WRONLY, 0777)
+			f, err = os.OpenFile(binLocationFile, os.O_APPEND|os.O_WRONLY, 0644)
 			if err != nil {
 				panic(err)
 			}
@@ -298,15 +298,15 @@ var StatsCommand = cli.Command{
 		}
 		argsFile := ctx.String("args-path")
 		if argsFile != "" {
-			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0777)
+			err := os.WriteFile(argsFile, []byte(strings.Join(os.Args, " ")), 0644)
 			if err != nil {
 				panic(err)
 			}
 		}
 
 		whoamiFile := ctx.String("metrics-whoami-path")
 		if whoamiFile != "" {
-			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0777)
+			err := os.WriteFile(whoamiFile, []byte(fmt.Sprintf("%d - %d", os.Getuid(), os.Getgid())), 0644)
 			if err != nil {
 				panic(err)
 			}
@@ -319,7 +319,7 @@ var StatsCommand = cli.Command{
 				panic(err)
 			}
 
-			err = os.WriteFile(binLocationFile, []byte(executable), 0777)
+			err = os.WriteFile(binLocationFile, []byte(executable), 0644)
 			if err != nil {
 				panic(err)
 			}

diff --git a/gqt/cmd/fake_runtime_plugin/main.go b/gqt/cmd/fake_runtime_plugin/main.go
@@ -54,7 +54,7 @@ func main() {
 }
 
 func writeArgs(action string) {
-	err := os.WriteFile(filepath.Join(os.TempDir(), fmt.Sprintf("%s-args", action)), []byte(strings.Join(os.Args, " ")), 0777)
+	err := os.WriteFile(filepath.Join(os.TempDir(), fmt.Sprintf("%s-args", action)), []byte(strings.Join(os.Args, " ")), 0644)
 	if err != nil {
 		panic(err)
 	}
@@ -88,7 +88,7 @@ var CreateCommand = cli.Command{
 	Action: func(ctx *cli.Context) error {
 		writeArgs("create")
 
-		if err := os.WriteFile(ctx.String("pid-file"), []byte(strconv.Itoa(os.Getppid())), 0777); err != nil {
+		if err := os.WriteFile(ctx.String("pid-file"), []byte(strconv.Itoa(os.Getppid())), 0644); err != nil {
 			panic(err)
 		}
 
@@ -116,7 +116,7 @@ var RunCommand = cli.Command{
 	Action: func(ctx *cli.Context) error {
 		writeArgs("run")
 
-		if err := os.WriteFile(ctx.String("pid-file"), []byte(strconv.Itoa(os.Getppid())), 0777); err != nil {
+		if err := os.WriteFile(ctx.String("pid-file"), []byte(strconv.Itoa(os.Getppid())), 0644); err != nil {
 			panic(err)
 		}
 
@@ -232,7 +232,7 @@ var ExecCommand = cli.Command{
 		childCmd := exec.Command(os.Args[0], "child", "--exitcode", exitCodeStr)
 		must(childCmd.Start())
 		childPid := childCmd.Process.Pid
-		must(os.WriteFile(ctx.String("pid-file"), []byte(fmt.Sprintf("%d", childPid)), 0777))
+		must(os.WriteFile(ctx.String("pid-file"), []byte(fmt.Sprintf("%d", childPid)), 0644))
 
 		os.Exit(exitCode)
 

diff --git a/gqt/containerdrunner/runner.go b/gqt/containerdrunner/runner.go
@@ -90,7 +90,7 @@ func ContainerdConfig(containerdDataDir string) Config {
 }
 
 func NewContainerdProcess(runDir string, config Config) *os.Process {
-	configFile, err := os.OpenFile(filepath.Join(runDir, "containerd.toml"), os.O_TRUNC|os.O_WRONLY|os.O_CREATE, os.ModePerm)
+	configFile, err := os.OpenFile(filepath.Join(runDir, "containerd.toml"), os.O_TRUNC|os.O_WRONLY|os.O_CREATE, 0644)
 	Expect(err).NotTo(HaveOccurred())
 	Expect(toml.NewEncoder(configFile).Encode(&config)).To(Succeed())
 	Expect(configFile.Close()).To(Succeed())

diff --git a/gqt/runner/runner.go b/gqt/runner/runner.go
@@ -220,7 +220,7 @@ func DefaultGdnRunnerConfig(binaries Binaries) GdnRunnerConfig {
 	var err error
 	config.TmpDir, err = os.MkdirTemp("", fmt.Sprintf("test-garden-%s-", config.Tag))
 	Expect(err).NotTo(HaveOccurred())
-	Expect(os.Chmod(config.TmpDir, 0777)).To(Succeed())
+	Expect(os.Chmod(config.TmpDir, 0755)).To(Succeed())
 
 	config.ConsoleSocketsPath = filepath.Join(config.TmpDir, "console-sockets")
 	config.DepotDir = filepath.Join(config.TmpDir, "containers")

diff --git a/rundmc/cgroups/starter_linux.go b/rundmc/cgroups/starter_linux.go
@@ -248,7 +248,7 @@ func (s *CgroupStarter) modifyAllowedDevices(dir string, devices []specs.LinuxDe
 		return nil
 	}
 
-	if err := os.WriteFile(filepath.Join(dir, "devices.deny"), []byte("a"), 0770); err != nil {
+	if err := os.WriteFile(filepath.Join(dir, "devices.deny"), []byte("a"), 0640); err != nil {
 		return err
 	}
 

diff --git a/rundmc/runcontainerd/cgroup_manager.go b/rundmc/runcontainerd/cgroup_manager.go
@@ -45,5 +45,5 @@ func (m cgroupManager) SetUseMemoryHierarchy(handle string) error {
 		return err
 	}
 
-	return os.WriteFile(filepath.Join(state.CgroupPaths.Memory, "memory.use_hierarchy"), []byte("1"), os.ModePerm)
+	return os.WriteFile(filepath.Join(state.CgroupPaths.Memory, "memory.use_hierarchy"), []byte("1"), 0644)
 }