diff --git a/hack/vendor.sh b/hack/vendor.sh index 5288b6634d..a98e3bcfe9 100755 --- a/hack/vendor.sh +++ b/hack/vendor.sh @@ -55,7 +55,7 @@ clone hg code.google.com/p/go.net 84a4013f96e0 clone hg code.google.com/p/gosqlite 74691fb6f837 #get libnetwork packages -clone git github.com/docker/libnetwork v0.2 +clone git github.com/docker/libnetwork b39597744b0978fe4aeb9f3a099ba42f7b6c4a1f clone git github.com/vishvananda/netns 008d17ae001344769b031375bdb38a86219154c6 clone git github.com/vishvananda/netlink 8eb64238879fed52fd51c5b30ad20b928fb4c36c diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index e7b9f2d71d..0b067b9785 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -1455,6 +1455,32 @@ func (s *DockerSuite) TestRunDnsOptionsBasedOnHostResolvConf(c *check.C) { } } +// Test to see if a non-root user can resolve a DNS name and reach out to it. Also +// check if the container resolv.conf file has atleast 0644 perm. +func (s *DockerSuite) TestRunNonRootUserResolvName(c *check.C) { + testRequires(c, SameHostDaemon) + + cmd := exec.Command(dockerBinary, "run", "--name=testperm", "--user=default", "busybox", "ping", "-c", "1", "www.docker.io") + if out, err := runCommand(cmd); err != nil { + c.Fatal(err, out) + } + + cID, err := getIDByName("testperm") + if err != nil { + c.Fatal(err) + } + + fmode := (os.FileMode)(0644) + finfo, err := os.Stat(containerStorageFile(cID, "resolv.conf")) + if err != nil { + c.Fatal(err) + } + + if (finfo.Mode() & fmode) != fmode { + c.Fatalf("Expected container resolv.conf mode to be atleast %s, instead got %s", fmode.String(), finfo.Mode().String()) + } +} + // Test if container resolv.conf gets updated the next time it restarts // if host /etc/resolv.conf has changed. This only applies if the container // uses the host's /etc/resolv.conf and does not have any dns options provided. diff --git a/vendor/src/github.com/docker/libnetwork/endpoint.go b/vendor/src/github.com/docker/libnetwork/endpoint.go index 3ddec80ec9..f6f18a9360 100644 --- a/vendor/src/github.com/docker/libnetwork/endpoint.go +++ b/vendor/src/github.com/docker/libnetwork/endpoint.go @@ -548,6 +548,11 @@ func (ep *endpoint) updateDNS(resolvConf []byte) error { return err } + // Change the perms to 0644 since ioutil.TempFile creates it by default as 0600 + if err := os.Chmod(tmpResolvFile.Name(), 0644); err != nil { + return err + } + // write the updates to the temp files if err = ioutil.WriteFile(tmpHashFile.Name(), []byte(newHash), 0644); err != nil { return err diff --git a/vendor/src/github.com/docker/libnetwork/libnetwork_test.go b/vendor/src/github.com/docker/libnetwork/libnetwork_test.go index b628190657..879c0f146e 100644 --- a/vendor/src/github.com/docker/libnetwork/libnetwork_test.go +++ b/vendor/src/github.com/docker/libnetwork/libnetwork_test.go @@ -1137,6 +1137,16 @@ func TestResolvConf(t *testing.T) { } }() + finfo, err := os.Stat(resolvConfPath) + if err != nil { + t.Fatal(err) + } + + fmode := (os.FileMode)(0644) + if finfo.Mode() != fmode { + t.Fatalf("Expected file mode %s, got %s", fmode.String(), finfo.Mode().String()) + } + content, err := ioutil.ReadFile(resolvConfPath) if err != nil { t.Fatal(err)