moby/volume
Brian Goff 7f5e39bd4f
Use real root with 0701 perms
Various dirs in /var/lib/docker contain data that needs to be mounted
into a container. For this reason, these dirs are set to be owned by the
remapped root user, otherwise there can be permissions issues.
However, this uneccessarily exposes these dirs to an unprivileged user
on the host.

Instead, set the ownership of these dirs to the real root (or rather the
UID/GID of dockerd) with 0701 permissions, which allows the remapped
root to enter the directories but not read/write to them.
The remapped root needs to enter these dirs so the container's rootfs
can be configured... e.g. to mount /etc/resolve.conf.

This prevents an unprivileged user from having read/write access to
these dirs on the host.
The flip side of this is now any user can enter these directories.

Signed-off-by: Brian Goff <cpuguy83@gmail.com>
(cherry picked from commit e908cc3901)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2021-02-02 13:01:25 +01:00
..
drivers replace pkg/locker with github.com/moby/locker 2020-09-10 22:15:40 +02:00
local Use real root with 0701 perms 2021-02-02 13:01:25 +01:00
mounts SELinux: fix ENOTSUP errors not being detected when relabeling 2020-05-10 17:06:44 +02:00
service replace pkg/locker with github.com/moby/locker 2020-09-10 22:15:40 +02:00
testutils Fix flaky test TestServiceGet 2018-06-20 22:38:29 +03:00
volume.go Move mount parsing to separate package. 2018-04-19 06:35:54 -04:00