Remove umask, replace with explicit chmod after create

Call chmod on all open files and created directories to ensure permission is set as expected without changing umask. Fixes #1608 Signed-off-by: Derek McGowan <derek@mcgstyle.net>
2017-10-11 14:38:05 -07:00
parent 3cc75915db
commit e20b371807
5 changed files with 49 additions and 17 deletions
--- a/archive/tar.go
+++ b/archive/tar.go
@@ -88,8 +88,6 @@ const (
 // See https://github.com/opencontainers/image-spec/blob/master/layer.md#applying-changesets
 func Apply(ctx context.Context, root string, r io.Reader) (int64, error) {
 	root = filepath.Clean(root)
-	fn := prepareApply()
-	defer fn()

 	var (
 		tr   = tar.NewReader(r)
@@ -445,13 +443,13 @@ func createTarFile(ctx context.Context, path, extractDir string, hdr *tar.Header
 		// Create directory unless it exists as a directory already.
 		// In that case we just want to merge the two
 		if fi, err := os.Lstat(path); !(err == nil && fi.IsDir()) {
-			if err := os.Mkdir(path, hdrInfo.Mode()); err != nil {
+			if err := mkdir(path, hdrInfo.Mode()); err != nil {
 				return err
 			}
 		}

 	case tar.TypeReg, tar.TypeRegA:
-		file, err := openFile(path, os.O_CREATE|os.O_WRONLY, hdrInfo.Mode())
+		file, err := openFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, hdrInfo.Mode())
 		if err != nil {
 			return err
 		}
--- a/archive/tar_unix.go
+++ b/archive/tar_unix.go
@@ -43,20 +43,28 @@ func open(p string) (*os.File, error) {
 }

 func openFile(name string, flag int, perm os.FileMode) (*os.File, error) {
-	return os.OpenFile(name, flag, perm)
+	f, err := os.OpenFile(name, flag, perm)
+	if err != nil {
+		return nil, err
+	}
+	// Call chmod to avoid permission mask
+	if err := os.Chmod(name, perm); err != nil {
+		return nil, err
+	}
+	return f, err
 }

 func mkdirAll(path string, perm os.FileMode) error {
 	return os.MkdirAll(path, perm)
 }

-func prepareApply() func() {
-	// Unset unmask before doing an apply operation,
-	// restore unmask when complete
-	oldmask := unix.Umask(0)
-	return func() {
-		unix.Umask(oldmask)
+func mkdir(path string, perm os.FileMode) error {
+	if err := os.Mkdir(path, perm); err != nil {
+		return err
 	}
+	// Only final created directory gets explicit permission
+	// call to avoid permission mask
+	return os.Chmod(path, perm)
 }

 func skipFile(*tar.Header) bool {
--- a/archive/tar_windows.go
+++ b/archive/tar_windows.go
@@ -56,9 +56,8 @@ func mkdirAll(path string, perm os.FileMode) error {
 	return sys.MkdirAll(path, perm)
 }

-func prepareApply() func() {
-	// No umask or filesystem changes needed before apply
-	return func() {}
+func mkdir(path string, perm os.FileMode) error {
+	return os.Mkdir(path, perm)
 }

 func skipFile(hdr *tar.Header) bool {