server: make paths to chown also accessible

giuseppe · giuseppe · commit f035d60772aa · 2020-08-21T10:45:39.000+02:00
Signed-off-by: Giuseppe Scrivano &lt;gscrivan@redhat.com&gt;
diff --git a/server/container_create_linux.go b/server/container_create_linux.go
@@ -168,9 +168,6 @@ func (s *Server) createContainerPlatform(container *oci.Container, cgroupParent
 		rootPair := s.defaultIDMappings.RootPair()
 
 		for _, path := range []string{container.BundlePath(), container.MountPoint()} {
-			if err := os.Chown(path, rootPair.UID, rootPair.GID); err != nil {
-				return errors.Wrapf(err, "cannot chown %s to %d:%d", path, rootPair.UID, rootPair.GID)
-			}
 			if err := makeAccessible(path, rootPair.UID, rootPair.GID); err != nil {
 				return errors.Wrapf(err, "cannot make %s accessible to %d:%d", path, rootPair.UID, rootPair.GID)
 			}
@@ -181,6 +178,9 @@ func (s *Server) createContainerPlatform(container *oci.Container, cgroupParent
 
 // makeAccessible changes the path permission and each parent directory to have --x--x--x
 func makeAccessible(path string, uid, gid int) error {
+	if err := os.Chown(path, uid, gid); err != nil {
+		return errors.Wrapf(err, "cannot chown %s to %d:%d", path, uid, gid)
+	}
 	for ; path != "/"; path = filepath.Dir(path) {
 		st, err := os.Stat(path)
 		if err != nil {
diff --git a/server/sandbox_run_linux.go b/server/sandbox_run_linux.go
@@ -610,7 +610,7 @@ func (s *Server) runPodSandbox(ctx context.Context, req *pb.RunPodSandboxRequest
 	if s.defaultIDMappings != nil && !s.defaultIDMappings.Empty() {
 		rootPair := s.defaultIDMappings.RootPair()
 		for _, path := range pathsToChown {
-			if err := os.Chown(path, rootPair.UID, rootPair.GID); err != nil {
+			if err := makeAccessible(path, rootPair.UID, rootPair.GID); err != nil {
 				return nil, errors.Wrapf(err, "cannot chown %s to %d:%d", path, rootPair.UID, rootPair.GID)
 			}
 		}

Original file line number	Diff line number	Diff line change
`@@ -610,7 +610,7 @@ func (s Server) runPodSandbox(ctx context.Context, req pb.RunPodSandboxRequest`
`610`	`610`	`if s.defaultIDMappings != nil && !s.defaultIDMappings.Empty() {`
`611`	`611`	`rootPair := s.defaultIDMappings.RootPair()`
`612`	`612`	`for _, path := range pathsToChown {`
`613`		`- if err := os.Chown(path, rootPair.UID, rootPair.GID); err != nil {`
	`613`	`+ if err := makeAccessible(path, rootPair.UID, rootPair.GID); err != nil {`
`614`	`614`	`return nil, errors.Wrapf(err, "cannot chown %s to %d:%d", path, rootPair.UID, rootPair.GID)`
`615`	`615`	`}`
`616`	`616`	`}`