From 040b426a191dc6835eedd608e26010ea78be0e56 Mon Sep 17 00:00:00 2001 From: "Alex Ellis (OpenFaaS Ltd)" Date: Tue, 28 Jan 2020 12:48:00 +0000 Subject: [PATCH] Set all permissions to 0644 vs a mixture This appeared to prevent the provider's secret code from creating files in its working directory. The patch makes all code use the same permission. Signed-off-by: Alex Ellis (OpenFaaS Ltd) --- cmd/install.go | 5 ++++- cmd/provider.go | 4 ++-- cmd/up.go | 2 +- pkg/supervisor.go | 7 ++++--- 4 files changed, 11 insertions(+), 7 deletions(-) diff --git a/cmd/install.go b/cmd/install.go index cc0bb10..4325cef 100644 --- a/cmd/install.go +++ b/cmd/install.go @@ -18,7 +18,10 @@ var installCmd = &cobra.Command{ RunE: runInstall, } +const workingDirectoryPermission = 0644 + const faasdwd = "/var/lib/faasd" + const faasdProviderWd = "/var/lib/faasd-provider" func runInstall(_ *cobra.Command, _ []string) error { @@ -102,7 +105,7 @@ func binExists(folder, name string) error { func ensureWorkingDir(folder string) error { if _, err := os.Stat(folder); err != nil { - err = os.MkdirAll(folder, 0600) + err = os.MkdirAll(folder, workingDirectoryPermission) if err != nil { return err } diff --git a/cmd/provider.go b/cmd/provider.go index 4acf673..1bc7d7c 100644 --- a/cmd/provider.go +++ b/cmd/provider.go @@ -39,14 +39,14 @@ func runProvider(_ *cobra.Command, _ []string) error { } writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"), - []byte(`127.0.0.1 localhost`), 0644) + []byte(`127.0.0.1 localhost`), workingDirectoryPermission) if writeHostsErr != nil { return fmt.Errorf("cannot write hosts file: %s", writeHostsErr) } writeResolvErr := ioutil.WriteFile(path.Join(wd, "resolv.conf"), - []byte(`nameserver 8.8.8.8`), 0644) + []byte(`nameserver 8.8.8.8`), workingDirectoryPermission) if writeResolvErr != nil { return fmt.Errorf("cannot write resolv.conf file: %s", writeResolvErr) diff --git a/cmd/up.go b/cmd/up.go index 7d6e8b7..6e41779 100644 --- a/cmd/up.go +++ b/cmd/up.go @@ -193,7 +193,7 @@ func makeFile(filePath, fileContents string) error { return nil } else if os.IsNotExist(err) { log.Printf("Writing to: %q\n", filePath) - return ioutil.WriteFile(filePath, []byte(fileContents), 0644) + return ioutil.WriteFile(filePath, []byte(fileContents), workingDirectoryPermission) } else { return err } diff --git a/pkg/supervisor.go b/pkg/supervisor.go index c80f013..4fc8015 100644 --- a/pkg/supervisor.go +++ b/pkg/supervisor.go @@ -24,10 +24,11 @@ import ( "github.com/opencontainers/runtime-spec/specs-go" ) +const workingDirectoryPermission = 0644 + const defaultSnapshotter = "overlayfs" const ( - // TODO: CNIBinDir and CNIConfDir should maybe be globally configurable? // CNIBinDir describes the directory where the CNI binaries are stored CNIBinDir = "/opt/cni/bin" // CNIConfDir describes the directory where the CNI plugin's configuration is stored @@ -90,7 +91,7 @@ func (s *Supervisor) Start(svcs []Service) error { %s faas-containerd`, ip) writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"), - []byte(hosts), 0644) + []byte(hosts), workingDirectoryPermission) if writeHostsErr != nil { return fmt.Errorf("cannot write hosts file: %s", writeHostsErr) @@ -206,7 +207,7 @@ func (s *Supervisor) Start(svcs []Service) error { hosts = []byte(string(hosts) + fmt.Sprintf(` %s %s `, ip, svc.Name)) - writeErr := ioutil.WriteFile("hosts", hosts, 0644) + writeErr := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission) if writeErr != nil { log.Printf("Error writing file %s %s\n", "hosts", writeErr)