local-path-provisioner
local-path-provisioner copied to clipboard
Published
20 hours ago •
rancher
rancher
Volumes are created with 0777 mode
Hi devs
I read through code and configs and find out that volumes are created with 0777 privs. I think this is suboptimal, as local users on the host can have access to the data. Would it make sense to use something like this (draft):
diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml
index 8148b00..020f5bf 100644
--- a/deploy/local-path-storage.yaml
+++ b/deploy/local-path-storage.yaml
@@ -125,7 +125,8 @@ data:
esac
done
- mkdir -m 0777 -p ${absolutePath}
+ mkdir -m 0700 -p ${absolutePath}
+ mkdir -m 0777 -p ${absolutePath}/volume
teardown: |-
#!/bin/sh
while getopts "m:s:p:" opt
diff --git a/provisioner.go b/provisioner.go
index 84f8f80..08873a1 100644
--- a/provisioner.go
+++ b/provisioner.go
@@ -229,7 +229,7 @@ func (p *LocalPathProvisioner) Provision(opts pvController.ProvisionOptions) (*v
},
PersistentVolumeSource: v1.PersistentVolumeSource{
HostPath: &v1.HostPathVolumeSource{
- Path: path,
+ Path: path + "/volume",
Type: &hostPathType,
},
},
@@ -286,7 +286,14 @@ func (p *LocalPathProvisioner) getPathAndNodeForPV(pv *v1.PersistentVolume) (pat
if hostPath == nil {
return "", "", fmt.Errorf("no HostPath set")
}
- path = hostPath.Path
+ volumepath := hostPath.Path
+
+ path, volume := filepath.Split(volumepath)
+ path = strings.TrimSuffix(path, "/")
+ volume = strings.TrimSuffix(volume, "/")
+ if volume != "volume" {
+ return "", "", fmt.Errorf("no /volume subdir in %s", path)
+ }
nodeAffinity := pv.Spec.NodeAffinity
if nodeAffinity == nil {
So volume itself is 0777, but the parent directory secured with 0700 and accessible by root only.
@brandond What's the state of this? Is there anything in local-path-provisioner taking care of chmods, or is it all configuration of the provisioner, such as done in k3s: https://github.com/k3s-io/k3s/commit/e6247d583c432381b5d8439ca2873fff404f86e2?
