daemon: overlay2: remove world writable permission from the lower file

In de2447c, the creation of the 'lower' file was changed from using os.Create to using ioutils.AtomicWriteFile, which ignores the system's umask. This means that even though the requested permission in the source code was always 0666, it was 0644 on systems with default umask of 0022 prior to de2447c, so the move to AtomicFile potentially increased the file's permissions. This is not a security issue because the parent directory does not allow writes into the file, but it can confuse security scanners on Linux-based systems into giving false positives. Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com> (cherry picked from commit cadb124) Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
moby · Mar 6, 2024 · d0d85f6 · d0d85f6
1 parent 5d66793
commit d0d85f6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/daemon/graphdriver/overlay2/overlay.go b/daemon/graphdriver/overlay2/overlay.go
@@ -406,7 +406,7 @@ func (d *Driver) create(id, parent string, opts *graphdriver.CreateOpts) (retErr
 		return err
 	}
 	if lower != "" {
-		if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o666); err != nil {
+		if err := ioutils.AtomicWriteFile(path.Join(dir, lowerFile), []byte(lower), 0o644); err != nil {
 			return err
 		}
 	}