From 83b0fb4696fc9db304365eb16720c26bad93e474 Mon Sep 17 00:00:00 2001
From: Daniel J Walsh <dwalsh@redhat.com>
Date: Tue, 11 Jan 2022 13:51:10 -0500
Subject: Fix permission on secrets directory

This directory needs to be world searchable so users can access it from
different user namespaces.

Fixes: https://github.com/containers/podman/issues/12779

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
---
 libpod/runtime_ctr.go           |  2 +-
 test/system/170-run-userns.bats | 16 ++++++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/libpod/runtime_ctr.go b/libpod/runtime_ctr.go
index 2891eb783..53ccb9139 100644
--- a/libpod/runtime_ctr.go
+++ b/libpod/runtime_ctr.go
@@ -429,7 +429,7 @@ func (r *Runtime) setupContainer(ctx context.Context, ctr *Container) (_ *Contai
 	}()
 
 	ctr.config.SecretsPath = filepath.Join(ctr.config.StaticDir, "secrets")
-	err = os.MkdirAll(ctr.config.SecretsPath, 0644)
+	err = os.MkdirAll(ctr.config.SecretsPath, 0755)
 	if err != nil {
 		return nil, err
 	}
diff --git a/test/system/170-run-userns.bats b/test/system/170-run-userns.bats
index a5be591ef..c020a73ab 100644
--- a/test/system/170-run-userns.bats
+++ b/test/system/170-run-userns.bats
@@ -78,3 +78,19 @@ EOF
     # Then check that the main user is not mapped into the user namespace
     CONTAINERS_CONF=$PODMAN_TMPDIR/userns_auto.conf run_podman 0 run --rm $IMAGE awk '{if($2 == "0"){exit 1}}' /proc/self/uid_map /proc/self/gid_map
 }
+
+@test "podman userns=auto and secrets" {
+    ns_user="containers"
+    if is_rootless; then
+        ns_user=$(id -un)
+    fi
+    egrep -q "${ns_user}:" /etc/subuid || skip "no IDs allocated for user ${ns_user}"
+    test_name="test_$(random_string 12)"
+    secret_file=$PODMAN_TMPDIR/secret$(random_string 12)
+    secret_content=$(random_string)
+    echo ${secret_content} > ${secret_file}
+    run_podman secret create ${test_name} ${secret_file}
+    run_podman run --rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
+    is ${output} ${secret_content} "Secrets should work with user namespace"
+    run_podman secret rm ${test_name}
+}
-- 
cgit v1.2.3-54-g00ecf