Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes local storage pods to have 700 permissions #3537

Merged
merged 2 commits into from
Jun 29, 2021
Merged

Changes local storage pods to have 700 permissions #3537

merged 2 commits into from
Jun 29, 2021

Conversation

dereknola
Copy link
Member

Signed-off-by: dereknola [email protected]

Proposed Changes

Individual storage pods under /var/lib/rancher/k3s/storage will now have 0700 permissions to prevent other users from accessing them.

Types of Changes

Changed mkdir call in local-storage.yaml

Verification

Linked Issues

#2348

@dereknola dereknola self-assigned this Jun 29, 2021
@dereknola dereknola requested a review from a team as a code owner June 29, 2021 17:51
briandowns
briandowns approved these changes Jun 29, 2021
View reviewed changes
Copy link
Contributor

@briandowns briandowns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dereknola dereknola merged commit 3e1693b into k3s-io:master Jun 29, 2021
dereknola added a commit to dereknola/k3s that referenced this pull request Jun 29, 2021
@dereknola
Changes local storage pods to have 700 permissions (k3s-io#3537)
4663c47 
* Changes local storage pods to have 700 permissions

Signed-off-by: dereknola <[email protected]>
@dereknola dereknola mentioned this pull request Jun 29, 2021
Merged
dereknola added a commit that referenced this pull request Jun 30, 2021
@dereknola
Changes local storage pods to have 700 permissions (#3537) (#3548)
0c2d837 
* Changes local storage pods to have 700 permissions

Signed-off-by: dereknola <[email protected]>
@dereknola dereknola linked an issue Jul 2, 2021 that may be closed by this pull request
/var/lib/rancher/k3s/storage should not be world-readable. #2348
Closed
This was referenced Jul 13, 2021
Closed
Closed
@dereknola dereknola deleted the volumes_700 branch July 28, 2021 17:28
@flokli
Copy link

flokli commented Aug 3, 2021

This broke all volumes for containers running not as root. See #3704, which reported this as a k3s regression.

From rancher/local-path-provisioner#182 (comment), /var/lib/rancher/k3s/storage shouln't be world-readable (but restricted to root), and individual volumes should be chmod 777:

So volume itself is 0777, but the parent directory secured with 0700 and accessible by root only.

@brandond
Copy link
Member

brandond commented Aug 3, 2021

@flokli if you look at the bottom of that issue you should see linked PRs for every branch resolving the regression. The fix will be included in the next release.

@flokli
Copy link

flokli commented Aug 4, 2021

@brandond let's take the discussion over to #2348 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

@brandond brandond brandond approved these changes

Assignees

@dereknola dereknola

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

/var/lib/rancher/k3s/storage should not be world-readable.
4 participants
@dereknola @flokli @brandond @briandowns