[lxc-devel] [lxd/master] Don't specify mode for intermediate directories created with `push -p`

Fri Jun 30 16:24:27 UTC 2017

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 313 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20170630/42f36055/attachment.bin>
-------------- next part --------------
From 610ae92a7563b5ba5d41f0e4c1671e6835e6fc86 Mon Sep 17 00:00:00 2001
From: Alberto Donato <alberto.donato at canonical.com>
Date: Fri, 30 Jun 2017 16:11:18 +0200
Subject: [PATCH] Don't specify mode for intermediate directories created with
 `push -p`

Signed-off-by: Alberto Donato <alberto.donato at canonical.com>
---
 lxc/file.go              | 20 ++++++++++----------
 lxd/container_lxc.go     |  7 ++++++-
 lxd/main.go              |  2 +-
 test/suites/filemanip.sh | 10 ++++++++++
 4 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/lxc/file.go b/lxc/file.go
index fbe09a9ee..52cc12ce4 100644
--- a/lxc/file.go
+++ b/lxc/file.go
@@ -164,7 +164,7 @@ func (c *fileCmd) recursivePushFile(d lxd.ContainerServer, container string, sou
 	return filepath.Walk(source, sendFile)
 }
 
-func (c *fileCmd) recursiveMkdir(d lxd.ContainerServer, container string, p string, mode os.FileMode, uid int64, gid int64) error {
+func (c *fileCmd) recursiveMkdir(d lxd.ContainerServer, container string, p string, mode *os.FileMode, uid int64, gid int64) error {
 	/* special case, every container has a /, we don't need to do anything */
 	if p == "/" {
 		return nil
@@ -197,10 +197,14 @@ func (c *fileCmd) recursiveMkdir(d lxd.ContainerServer, container string, p stri
 			continue
 		}
 
+		modeArg := -1
+		if mode != nil {
+			modeArg = int(mode.Perm())
+		}
 		args := lxd.ContainerFileArgs{
 			UID:  uid,
 			GID:  gid,
-			Mode: int(mode.Perm()),
+			Mode: modeArg,
 			Type: "directory",
 		}
 
@@ -286,7 +290,7 @@ func (c *fileCmd) push(conf *config.Config, send_file_perms bool, args []string)
 
 			mode, uid, gid := shared.GetOwnerMode(finfo)
 
-			err = c.recursiveMkdir(d, container, targetPath, mode, int64(uid), int64(gid))
+			err = c.recursiveMkdir(d, container, targetPath, &mode, int64(uid), int64(gid))
 			if err != nil {
 				return err
 			}
@@ -346,12 +350,8 @@ func (c *fileCmd) push(conf *config.Config, send_file_perms bool, args []string)
 				return err
 			}
 
-			if c.mode == "" || c.uid == -1 || c.gid == -1 {
-				dMode, dUid, dGid := shared.GetOwnerMode(finfo)
-				if c.mode == "" {
-					mode = dMode
-				}
-
+			_, dUid, dGid := shared.GetOwnerMode(finfo)
+			if c.uid == -1 || c.gid == -1 {
 				if c.uid == -1 {
 					uid = dUid
 				}
@@ -361,7 +361,7 @@ func (c *fileCmd) push(conf *config.Config, send_file_perms bool, args []string)
 				}
 			}
 
-			err = c.recursiveMkdir(d, container, path.Dir(fpath), mode, int64(uid), int64(gid))
+			err = c.recursiveMkdir(d, container, path.Dir(fpath), nil, int64(uid), int64(gid))
 			if err != nil {
 				return err
 			}
diff --git a/lxd/container_lxc.go b/lxd/container_lxc.go
index 4350fe6c1..46ce11030 100644
--- a/lxd/container_lxc.go
+++ b/lxd/container_lxc.go
@@ -4750,6 +4750,11 @@ func (c *containerLXC) FilePush(srcpath string, dstpath string, uid int64, gid i
 		}
 	}
 
+	defaultMode := 0640
+	if srcpath == "" {
+		defaultMode = 0750
+	}
+
 	// Push the file to the container
 	out, err := shared.RunCommand(
 		execPath,
@@ -4763,7 +4768,7 @@ func (c *containerLXC) FilePush(srcpath string, dstpath string, uid int64, gid i
 		fmt.Sprintf("%d", mode),
 		fmt.Sprintf("%d", rootUid),
 		fmt.Sprintf("%d", rootGid),
-		fmt.Sprintf("%d", int(os.FileMode(0640)&os.ModePerm)),
+		fmt.Sprintf("%d", int(os.FileMode(defaultMode)&os.ModePerm)),
 		write,
 	)
 
diff --git a/lxd/main.go b/lxd/main.go
index fe965a9ed..b8b92c136 100644
--- a/lxd/main.go
+++ b/lxd/main.go
@@ -198,7 +198,7 @@ func run() error {
 
 	// Process sub-commands
 	if len(os.Args) > 1 {
-		// "forkputfile", "forkgetfile", "forkmount" and "forkumount" are handled specially in nsexec.go
+		// "forkputfile", "forkgetfile", "forkmount" and "forkumount" are handled specially in main_nsexec.go
 		// "forkgetnet" is partially handled in nsexec.go (setns)
 		switch os.Args[1] {
 		// Main commands
diff --git a/test/suites/filemanip.sh b/test/suites/filemanip.sh
index 9edcc255f..1eb6f2847 100644
--- a/test/suites/filemanip.sh
+++ b/test/suites/filemanip.sh
@@ -34,6 +34,16 @@ test_filemanip() {
 
   lxc exec filemanip -- rm -rf /tmp/ptest/source
 
+  # Check that file permissions are not applied to intermediate directories
+
+  lxc file push -p --mode=400 "${TEST_DIR}"/source/foo \
+      filemanip/tmp/ptest/d1/d2/foo
+
+  [ "$(lxc exec filemanip -- stat -c "%a" /tmp/ptest/d1)" = "750" ]
+  [ "$(lxc exec filemanip -- stat -c "%a" /tmp/ptest/d1/d2)" = "750" ]
+
+  lxc exec filemanip -- rm -rf /tmp/ptest/d1
+
   # Special case where we are in the same directory as the one we are currently
   # created.
   oldcwd=$(pwd)
