btrfs: reduce permissions on plugin directories

dmcgowan · dmcgowan · commit f95fca079077 · 2021-10-01T12:51:42.000-07:00
Disallow traversal into directories that may contain unpacked or mounted image filesystems. Signed-off-by: Derek McGowan <derek@mcg.dev> Signed-off-by: Samuel Karp <skarp@amazon.com> (cherry picked from commit 7c621e1)
diff --git a/snapshots/btrfs/btrfs.go b/snapshots/btrfs/btrfs.go
@@ -50,11 +50,15 @@ type snapshotter struct {
 // root needs to be a mount point of btrfs.
 func NewSnapshotter(root string) (snapshots.Snapshotter, error) {
 	// If directory does not exist, create it
-	if _, err := os.Stat(root); err != nil {
+	if st, err := os.Stat(root); err != nil {
 		if !os.IsNotExist(err) {
 			return nil, err
 		}
-		if err := os.Mkdir(root, 0755); err != nil {
+		if err := os.Mkdir(root, 0700); err != nil {
+			return nil, err
+		}
+	} else if st.Mode()&os.ModePerm != 0700 {
+		if err := os.Chmod(root, 0700); err != nil {
 			return nil, err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -50,11 +50,15 @@ type snapshotter struct {`
`50`	`50`	`// root needs to be a mount point of btrfs.`
`51`	`51`	`func NewSnapshotter(root string) (snapshots.Snapshotter, error) {`
`52`	`52`	`// If directory does not exist, create it`
`53`		`- if _, err := os.Stat(root); err != nil {`
	`53`	`+ if st, err := os.Stat(root); err != nil {`
`54`	`54`	`if !os.IsNotExist(err) {`
`55`	`55`	`return nil, err`
`56`	`56`	`}`
`57`		`- if err := os.Mkdir(root, 0755); err != nil {`
	`57`	`+ if err := os.Mkdir(root, 0700); err != nil {`
	`58`	`+ return nil, err`
	`59`	`+ }`
	`60`	`+ } else if st.Mode()&os.ModePerm != 0700 {`
	`61`	`+ if err := os.Chmod(root, 0700); err != nil {`
`58`	`62`	`return nil, err`
`59`	`63`	`}`
`60`	`64`	`}`