Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Volumes are created with 0777 mode #182

Closed
dchirikov opened this issue Mar 10, 2021 · 3 comments
Closed

Volumes are created with 0777 mode #182

dchirikov opened this issue Mar 10, 2021 · 3 comments
Labels
stale

Comments

@dchirikov
Copy link
Contributor

Hi devs

I read through code and configs and find out that volumes are created with 0777 privs. I think this is suboptimal, as local users on the host can have access to the data. Would it make sense to use something like this (draft):

diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml
index 8148b00..020f5bf 100644
--- a/deploy/local-path-storage.yaml
+++ b/deploy/local-path-storage.yaml
@@ -125,7 +125,8 @@ data:
         esac
     done
 
-    mkdir -m 0777 -p ${absolutePath}
+    mkdir -m 0700 -p ${absolutePath}
+    mkdir -m 0777 -p ${absolutePath}/volume
   teardown: |-
     #!/bin/sh
     while getopts "m:s:p:" opt
diff --git a/provisioner.go b/provisioner.go
index 84f8f80..08873a1 100644
--- a/provisioner.go
+++ b/provisioner.go
@@ -229,7 +229,7 @@ func (p *LocalPathProvisioner) Provision(opts pvController.ProvisionOptions) (*v
 			},
 			PersistentVolumeSource: v1.PersistentVolumeSource{
 				HostPath: &v1.HostPathVolumeSource{
-					Path: path,
+					Path: path + "/volume",
 					Type: &hostPathType,
 				},
 			},
@@ -286,7 +286,14 @@ func (p *LocalPathProvisioner) getPathAndNodeForPV(pv *v1.PersistentVolume) (pat
 	if hostPath == nil {
 		return "", "", fmt.Errorf("no HostPath set")
 	}
-	path = hostPath.Path
+	volumepath := hostPath.Path
+
+	path, volume := filepath.Split(volumepath)
+	path = strings.TrimSuffix(path, "/")
+	volume = strings.TrimSuffix(volume, "/")
+	if volume != "volume" {
+		return "", "", fmt.Errorf("no /volume subdir in %s", path)
+	}
 
 	nodeAffinity := pv.Spec.NodeAffinity
 	if nodeAffinity == nil {

So volume itself is 0777, but the parent directory secured with 0700 and accessible by root only.
@MikaelSmith MikaelSmith mentioned this issue Mar 31, 2021
Closed
@ChristianCiach ChristianCiach mentioned this issue Jul 23, 2021
Closed
@flokli flokli mentioned this issue Aug 3, 2021
Merged
@flokli
Copy link

flokli commented Aug 4, 2021

@brandond What's the state of this? Is there anything in local-path-provisioner taking care of chmods, or is it all configuration of the provisioner, such as done in k3s: k3s-io/k3s@e6247d5?

@iwilltry42 iwilltry42 mentioned this issue Sep 20, 2021
Closed
@dchirikov dchirikov mentioned this issue Nov 13, 2021
Merged
@github-actions GitHub Actions
Copy link

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Jul 26, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 1, 2024

This issue was closed because it has been stalled for 5 days with no activity.

@github-actions github-actions bot closed this as completed Aug 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flokli @dchirikov