diff options
author | Brian Goff <cpuguy83@gmail.com> | 2020-10-06 19:40:30 +0000 |
---|---|---|
committer | Tibor Vass <tibor@docker.com> | 2021-01-26 17:23:32 +0000 |
commit | bfedd2725971303efb7a2fe5d6990317b381622f (patch) | |
tree | e52ef0397f249f4d42cffd6b2799a64f9973b17a | |
parent | edb62a3ace8c4303822a391b38231e577f8c2ee8 (diff) | |
download | docker-bfedd2725971303efb7a2fe5d6990317b381622f.tar.gz |
Do not set DOCKER_TMP to be owned by remapped root
The remapped root does not need access to this dir.
Having this owned by the remapped root opens the host up to an
uprivileged user on the host being able to escalate privileges.
While it would not be normal for the remapped UID to be used outside of
the container context, it could happen.
Signed-off-by: Brian Goff <cpuguy83@gmail.com>
-rw-r--r-- | daemon/daemon.go | 8 |
1 files changed, 3 insertions, 5 deletions
diff --git a/daemon/daemon.go b/daemon/daemon.go index 3e86ab5c87..ab0db4fa06 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -795,7 +795,7 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S } // set up the tmpDir to use a canonical path - tmp, err := prepareTempDir(config.Root, rootIDs) + tmp, err := prepareTempDir(config.Root) if err != nil { return nil, fmt.Errorf("Unable to get the TempDir under %s: %s", config.Root, err) } @@ -1370,7 +1370,7 @@ func (daemon *Daemon) Subnets() ([]net.IPNet, []net.IPNet) { // prepareTempDir prepares and returns the default directory to use // for temporary files. // If it doesn't exist, it is created. If it exists, its content is removed. -func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, error) { +func prepareTempDir(rootDir string) (string, error) { var tmpDir string if tmpDir = os.Getenv("DOCKER_TMPDIR"); tmpDir == "" { tmpDir = filepath.Join(rootDir, "tmp") @@ -1388,9 +1388,7 @@ func prepareTempDir(rootDir string, rootIdentity idtools.Identity) (string, erro } } } - // We don't remove the content of tmpdir if it's not the default, - // it may hold things that do not belong to us. - return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, rootIdentity) + return tmpDir, idtools.MkdirAllAndChown(tmpDir, 0700, idtools.CurrentIdentity()) } func (daemon *Daemon) setGenericResources(conf *config.Config) error { |