shim: Create pid-file and address with 0644 permissions

Fixes ae70213 In ae70213 the WritePidFile and WriteAddress functions were changed to use AtomicFile instead of os.CreateFile. However, AtomicFile creates a temporary file and then changes its permissions with os.Chmod which alters the previously observed behavior of os.CreateFile which takes the system's umask into account. This means that on Linux-based systems these files suddenly became world writable (#9363). This commit explicitly requests 0644 permissions as even on systems without default umask of 0022 there is no reason to have these two files world writable.
containerd · Dec 14, 2023 · f900226 · f900226
1 parent ad9e654
commit f900226
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}
@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}