From 5c0b694ef3a4b86cdcd7ce03f1b300252ca70a05 Mon Sep 17 00:00:00 2001
From: Sebastiaan van Stijn <github@gone.nl>
Date: Mon, 2 Nov 2020 10:27:51 +0100
Subject: [PATCH] container: make hostconfig.json non-world-readable (0600)

When writing container's `hostconfig.json`, permissions were set to 0644 (world-
readable). While this is not a security concern (as the `/var/lib/docker/containers`
directory has `0700` or `0701` permissions), there is no real need to have these
permissions, as this file is only accessed by the daemon.

Looking at history for file permissions;

- 06b53e3fc7aca2b3dae32edab08c7662d3e9e7e8 (first implementation) used `0666` (world-writable)
- cf1a6c08fa03aa7020f8f5b414bb9349a9c8371a refactored the code, and removed explicit permissions
- ea3cbd3274664f5b16fce78d7df036f6b5c94e30 introduced atomic writes, and brought back the `0666` permissions
- 3ec8fed7476704f061891d4c421c615da49e30c7 removed world-writable bits, but kept world-readable

This patch updates the permissions to `0600`, matching what's used for `config.v2.json`,
which was updated in ae52cea3ab46e1e728606349fb6baa9a8203f3ed, but forgot to update
`hostconfig.json`.

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
---
 container/container.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/container/container.go b/container/container.go
index df90a4ee2c..da9253afb3 100644
--- a/container/container.go
+++ b/container/container.go
@@ -244,7 +244,7 @@ func (container *Container) WriteHostConfig() (*containertypes.HostConfig, error
 		return nil, err
 	}
 
-	f, err := ioutils.NewAtomicFileWriter(pth, 0644)
+	f, err := ioutils.NewAtomicFileWriter(pth, 0600)
 	if err != nil {
 		return nil, err
 	}