Default 0777 permission for the mounted folder of NFS share on Kubernetes Node

[pawcykca]

What happened:
Version 3.0.0 of csi-driver-nfs doesn't enforce any permissions for the mounted folder.
The new 'mount-permissions' parameter (that was implemented by PR #36 ) had no default value (chmod operation wasn't performed) and permissions were set based on system's umask configuration.

In version 3.1.0 of csi-driver-nfs this behavior has been changed (by this PR #256) to set the default permissions for the mounted folder to 0777.

https://github.com/kubernetes-csi/csi-driver-nfs/pull/256/files#diff-fa680ca434236ca2c45b192deb20e670a3a4a1ddd711dfd915ba0b4cabd86992R101

Is this ok from security point of view - default 0777 permission for the mounted folder of NFS share on Kubernetes Node set by csi-nfs-driver?

What you expected to happen:
Don't set default permission for the mounted folder by csi-driver-nfs (permissions set based on system's umask configuration) and allow end user to change it if necessary by 'mount-permissions' parameter.

How to reproduce it:

1. Deploy csi-driver-nfs v3.0.0
2. Create PVC
3. Create Pod using this PVC
4. Exec to the Pod and check permissions for the mounted folder //permissions will be set based on system's umask configuration
5. Delete PVC and Pod
6. Replace image version to v3.1.0 for csi-driver-nfs Deployment
7. Repeat steps 2-4 //permissions will be set to 0777

Environment:

• CSI Driver version: 3.0.0 and 3.1.0
• Kubernetes version (use kubectl version): 1.23
• OS (e.g. from /etc/os-release): Fedora-Coreos-35.20220116.3.0
• Kernel (e.g. uname -a): 5.15.17-200.fc35.x86_64

[andyzhangx]

good catch, I think you are right, default mountPermissions should be 0, here is the fix: #388

[andyzhangx]

@pawcykca could you take a look at this PR(#388)? thanks.

[pawcykca]

Looks OK from my perspective.