Set all permissions to 0644 vs a mixture

This appeared to prevent the provider's secret code from creating files in its working directory. The patch makes all code use the same permission. Signed-off-by: Alex Ellis (OpenFaaS Ltd) <alexellis2@gmail.com>
2025-06-09 16:36:47 +00:00 · 2020-01-28 12:48:00 +00:00 · 2020-01-28 12:48:00 +00:00 · 040b426a19
commit 040b426a19
parent 251cb2d08a
4 changed files with 11 additions and 7 deletions
--- a/cmd/install.go
+++ b/cmd/install.go
@ -18,7 +18,10 @@ var installCmd = &cobra.Command{
 	RunE:  runInstall,
 }

+const workingDirectoryPermission = 0644
+
 const faasdwd = "/var/lib/faasd"
+
 const faasdProviderWd = "/var/lib/faasd-provider"

 func runInstall(_ *cobra.Command, _ []string) error {
@ -102,7 +105,7 @@ func binExists(folder, name string) error {

 func ensureWorkingDir(folder string) error {
 	if _, err := os.Stat(folder); err != nil {
-		err = os.MkdirAll(folder, 0600)
+		err = os.MkdirAll(folder, workingDirectoryPermission)
 		if err != nil {
 			return err
 		}
--- a/cmd/provider.go
+++ b/cmd/provider.go
@ -39,14 +39,14 @@ func runProvider(_ *cobra.Command, _ []string) error {
 	}

 	writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"),
-		[]byte(`127.0.0.1	localhost`), 0644)
+		[]byte(`127.0.0.1	localhost`), workingDirectoryPermission)

 	if writeHostsErr != nil {
 		return fmt.Errorf("cannot write hosts file: %s", writeHostsErr)
 	}

 	writeResolvErr := ioutil.WriteFile(path.Join(wd, "resolv.conf"),
-		[]byte(`nameserver 8.8.8.8`), 0644)
+		[]byte(`nameserver 8.8.8.8`), workingDirectoryPermission)

 	if writeResolvErr != nil {
 		return fmt.Errorf("cannot write resolv.conf file: %s", writeResolvErr)
--- a/cmd/up.go
+++ b/cmd/up.go
@ -193,7 +193,7 @@ func makeFile(filePath, fileContents string) error {
 		return nil
 	} else if os.IsNotExist(err) {
 		log.Printf("Writing to: %q\n", filePath)
-		return ioutil.WriteFile(filePath, []byte(fileContents), 0644)
+		return ioutil.WriteFile(filePath, []byte(fileContents), workingDirectoryPermission)
 	} else {
 		return err
 	}
--- a/pkg/supervisor.go
+++ b/pkg/supervisor.go
@ -24,10 +24,11 @@ import (
 	"github.com/opencontainers/runtime-spec/specs-go"
 )

+const workingDirectoryPermission = 0644
+
 const defaultSnapshotter = "overlayfs"

 const (
-	// TODO: CNIBinDir and CNIConfDir should maybe be globally configurable?
 	// CNIBinDir describes the directory where the CNI binaries are stored
 	CNIBinDir = "/opt/cni/bin"
 	// CNIConfDir describes the directory where the CNI plugin's configuration is stored
@ -90,7 +91,7 @@ func (s *Supervisor) Start(svcs []Service) error {
 %s	faas-containerd`, ip)

 	writeHostsErr := ioutil.WriteFile(path.Join(wd, "hosts"),
-		[]byte(hosts), 0644)
+		[]byte(hosts), workingDirectoryPermission)

 	if writeHostsErr != nil {
 		return fmt.Errorf("cannot write hosts file: %s", writeHostsErr)
@ -206,7 +207,7 @@ func (s *Supervisor) Start(svcs []Service) error {
 		hosts = []byte(string(hosts) + fmt.Sprintf(`
 %s	%s
 `, ip, svc.Name))
-		writeErr := ioutil.WriteFile("hosts", hosts, 0644)
+		writeErr := ioutil.WriteFile("hosts", hosts, workingDirectoryPermission)

 		if writeErr != nil {
 			log.Printf("Error writing file %s %s\n", "hosts", writeErr)