Ensure umask is set appropriately for 'system service'

We need a umask of 0022 to ensure containers are created correctly, but we set a different one prior to starting the server (to ensure the unix socket has the right permissions). Thus, we need to set the umask after the socket has been bound, but before the server begins accepting requests. Fixes containers#6787 Signed-off-by: Matthew Heon <[email protected]>
mheon · Jul 6, 2020 · 0b7885b · 0b7885b
1 parent 8643526
commit 0b7885b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/api/server/server.go b/pkg/api/server/server.go
@@ -173,6 +173,10 @@ func (s *APIServer) Serve() error {
 		}()
 	}
 
+	// Before we start serving, ensure umask is properly set for container
+	// creation.
+	_ = syscall.Umask(0022)
+
 	go func() {
 		err := s.Server.Serve(s.Listener)
 		if err != nil && err != http.ErrServerClosed {