From 4148ca1769f33fee03b2fde0f648d4fba2200789 Mon Sep 17 00:00:00 2001 From: Seth Hoenig Date: Wed, 15 May 2024 10:43:30 -0500 Subject: [PATCH] client: mount shared alloc dir as nobody (#20589) In the Unveil filesystem isolation mode we were mounting the shared alloc dir with the UID/GID of the user of the task dir being mounted and 0710 filesystem permissions. This was causing the actual task dir to become inaccessible to other tasks in the allocation (a race where the last mounter wins). Instead mount the shared alloc dir as nobody with 0777 filesystem permissions. --- client/allocdir/task_dir.go | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/client/allocdir/task_dir.go b/client/allocdir/task_dir.go index cf738860b..2d2fca001 100644 --- a/client/allocdir/task_dir.go +++ b/client/allocdir/task_dir.go @@ -170,6 +170,11 @@ func (t *TaskDir) Build(fsi fsisolation.Mode, chroot map[string]string, username return fmt.Errorf("Failed to lookup user: %v", err) } + nobodyUID, nobodyGID, _, err := dynamic.LookupUser("nobody") + if err != nil { + return fmt.Errorf("Failed to lookup nobody user: %v", err) + } + // create the task unique directory under the client mounts path parent := filepath.Dir(t.MountsAllocDir) if err = os.MkdirAll(parent, fileMode710); err != nil { @@ -179,10 +184,20 @@ func (t *TaskDir) Build(fsi fsisolation.Mode, chroot map[string]string, username return fmt.Errorf("Failed to chown task mount directory: %v", err) } - // create the task, alloc, and secrets mount points - mountDir(t.Dir, t.MountsTaskDir, uid, gid, fileMode710) - mountDir(filepath.Join(t.AllocDir, "/alloc"), t.MountsAllocDir, uid, gid, fileMode710) - mountDir(t.SecretsDir, t.MountsSecretsDir, uid, gid, fileMode710) + // create the taskdir mount point + if err = mountDir(t.Dir, t.MountsTaskDir, uid, gid, fileMode710); err != nil { + return fmt.Errorf("Failed to mount task dir: %v", err) + } + + // create the allocdir mount point (owned by nobody) + if err = mountDir(filepath.Join(t.AllocDir, "/alloc"), t.MountsAllocDir, nobodyUID, nobodyGID, fileMode777); err != nil { + return fmt.Errorf("Failed to mount alloc dir: %v", err) + } + + // create the secretsdir mount point + if err = mountDir(t.SecretsDir, t.MountsSecretsDir, uid, gid, fileMode710); err != nil { + return fmt.Errorf("Failed to mount secrets dir: %v", err) + } } return nil