mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
93ac040bf0
Do not use 0701 perms. 0701 dir perms allows anyone to traverse the docker dir. It happens to allow any user to execute, as an example, suid binaries from image rootfs dirs because it allows traversal AND critically container users need to be able to do execute things. 0701 on lower directories also happens to allow any user to modify things in, for instance, the overlay upper dir which neccessarily has 0755 permissions. This changes to use 0710 which allows users in the group to traverse. In userns mode the UID owner is (real) root and the GID is the remapped root's GID. This prevents anyone but the remapped root to traverse our directories (which is required for userns with runc). Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit ef7237442147441a7cadcda0600be1186d81ac73) Signed-off-by: Brian Goff <cpuguy83@gmail.com> |
||
---|---|---|
.. | ||
cluster | ||
config | ||
discovery | ||
events | ||
exec | ||
graphdriver | ||
images | ||
initlayer | ||
links | ||
listeners | ||
logger | ||
names | ||
network | ||
stats | ||
testdata | ||
apparmor_default.go | ||
apparmor_default_unsupported.go | ||
archive.go | ||
archive_tarcopyoptions.go | ||
archive_tarcopyoptions_unix.go | ||
archive_tarcopyoptions_windows.go | ||
archive_unix.go | ||
archive_windows.go | ||
attach.go | ||
auth.go | ||
changes.go | ||
checkpoint.go | ||
cluster.go | ||
commit.go | ||
configs.go | ||
configs_linux.go | ||
configs_unsupported.go | ||
configs_windows.go | ||
container.go | ||
container_linux.go | ||
container_operations.go | ||
container_operations_unix.go | ||
container_operations_windows.go | ||
container_unix_test.go | ||
container_windows.go | ||
content.go | ||
create.go | ||
create_test.go | ||
create_unix.go | ||
create_windows.go | ||
daemon.go | ||
daemon_linux.go | ||
daemon_linux_test.go | ||
daemon_test.go | ||
daemon_unix.go | ||
daemon_unix_test.go | ||
daemon_unsupported.go | ||
daemon_windows.go | ||
daemon_windows_test.go | ||
debugtrap_unix.go | ||
debugtrap_unsupported.go | ||
debugtrap_windows.go | ||
delete.go | ||
delete_test.go | ||
dependency.go | ||
devices_linux.go | ||
disk_usage.go | ||
errors.go | ||
events.go | ||
events_test.go | ||
exec.go | ||
exec_linux.go | ||
exec_linux_test.go | ||
exec_windows.go | ||
export.go | ||
health.go | ||
health_test.go | ||
info.go | ||
info_test.go | ||
info_unix.go | ||
info_unix_test.go | ||
info_windows.go | ||
inspect.go | ||
inspect_linux.go | ||
inspect_test.go | ||
inspect_windows.go | ||
keys.go | ||
keys_unsupported.go | ||
kill.go | ||
licensing.go | ||
licensing_test.go | ||
links.go | ||
list.go | ||
list_test.go | ||
list_unix.go | ||
list_windows.go | ||
logdrivers_linux.go | ||
logdrivers_windows.go | ||
logs.go | ||
logs_test.go | ||
metrics.go | ||
metrics_unix.go | ||
metrics_unsupported.go | ||
monitor.go | ||
mounts.go | ||
names.go | ||
network.go | ||
network_windows.go | ||
nvidia_linux.go | ||
oci_linux.go | ||
oci_linux_test.go | ||
oci_utils.go | ||
oci_windows.go | ||
oci_windows_test.go | ||
pause.go | ||
prune.go | ||
reload.go | ||
reload_test.go | ||
reload_unix.go | ||
reload_windows.go | ||
rename.go | ||
resize.go | ||
resize_test.go | ||
restart.go | ||
runtime_unix.go | ||
runtime_windows.go | ||
seccomp_disabled.go | ||
seccomp_linux.go | ||
seccomp_unsupported.go | ||
secrets.go | ||
secrets_linux.go | ||
secrets_unsupported.go | ||
secrets_windows.go | ||
start.go | ||
start_unix.go | ||
start_windows.go | ||
stats.go | ||
stats_collector.go | ||
stats_unix.go | ||
stats_windows.go | ||
stop.go | ||
top_unix.go | ||
top_unix_test.go | ||
top_windows.go | ||
trustkey.go | ||
trustkey_test.go | ||
unpause.go | ||
update.go | ||
update_linux.go | ||
update_windows.go | ||
util_test.go | ||
volumes.go | ||
volumes_linux.go | ||
volumes_linux_test.go | ||
volumes_unit_test.go | ||
volumes_unix.go | ||
volumes_unix_test.go | ||
volumes_windows.go | ||
wait.go | ||
workdir.go |