Ensure umask is set appropriately for 'system service'

We need a umask of 0022 to ensure containers are created correctly, but we set a different one prior to starting the server (to ensure the unix socket has the right permissions). Thus, we need to set the umask after the socket has been bound, but before the server begins accepting requests. Fixes #6787 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
author: Matthew Heon <matthew.heon@pm.me> 2020-06-26 10:07:20 -0400
committer: Matthew Heon <matthew.heon@pm.me> 2020-06-26 10:07:20 -0400
commit: f0ca17650e10e1a922a1cd95780c8449ec0d5490 (patch)
tree: ec5d180a8ababab2c7edbb4342b7a52ccd504d61 /pkg
parent: 673116c063f173ae7ff799a920f9c1ca28194b9d (diff)
download: podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.tar.gz
podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.tar.bz2
podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
index bd6a99b96..5b2f8bea2 100644
--- a/pkg/api/server/server.go
+++ b/pkg/api/server/server.go
@@ -173,6 +173,10 @@ func (s *APIServer) Serve() error {
 		}()
 	}
 
+	// Before we start serving, ensure umask is properly set for container
+	// creation.
+	_ = syscall.Umask(0022)
+
 	go func() {
 		err := s.Server.Serve(s.Listener)
 		if err != nil && err != http.ErrServerClosed {
author	Matthew Heon <matthew.heon@pm.me>	2020-06-26 10:07:20 -0400
committer	Matthew Heon <matthew.heon@pm.me>	2020-06-26 10:07:20 -0400
commit	f0ca17650e10e1a922a1cd95780c8449ec0d5490 (patch)
tree	ec5d180a8ababab2c7edbb4342b7a52ccd504d61 /pkg
parent	673116c063f173ae7ff799a920f9c1ca28194b9d (diff)
download	podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.tar.gz podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.tar.bz2 podman-f0ca17650e10e1a922a1cd95780c8449ec0d5490.zip