shim: Create pid-file and address with 0644 permissions

Dzejrou · Dzejrou · commit 088d5cfbd23f · 2023-12-14T23:18:54.000+01:00
Fixes ae70213 In ae70213 the WritePidFile and WriteAddress functions were changed to use AtomicFile instead of os.CreateFile. However, AtomicFile creates a temporary file and then changes its permissions with os.Chmod which alters the previously observed behavior of os.CreateFile which takes the system's umask into account. This means that on Linux-based systems these files suddenly became world writable (#9363). This commit explicitly requests 0644 permissions as even on systems without default umask of 0022 there is no reason to have these two files world writable. Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}
@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}

Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error {`
`126`	`126`	`if err != nil {`
`127`	`127`	`return err`
`128`	`128`	`}`
`129`		`- f, err := atomicfile.New(path, 0o666)`
	`129`	`+ f, err := atomicfile.New(path, 0o644)`
`130`	`130`	`if err != nil {`
`131`	`131`	`return err`
`132`	`132`	`}`
`@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error {`
`144`	`144`	`if err != nil {`
`145`	`145`	`return err`
`146`	`146`	`}`
`147`		`- f, err := atomicfile.New(path, 0o666)`
	`147`	`+ f, err := atomicfile.New(path, 0o644)`
`148`	`148`	`if err != nil {`
`149`	`149`	`return err`
`150`	`150`	`}`