summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorAndrew Clayton <a.clayton@nginx.com>2023-02-22 16:04:53 +0000
committerAndrew Clayton <a.clayton@nginx.com>2023-02-22 16:04:53 +0000
commit5c9113ddac6eb42efac7f0c77b2f374853ba7d8c (patch)
tree1b0b1309d863e9bfd7bba53c57b1790c7c5008be
parent1b7cf1f3d00adbbcd17890f1475c2c36f75c3f68 (diff)
downloadunit-5c9113ddac6eb42efac7f0c77b2f374853ba7d8c.tar.gz
unit-5c9113ddac6eb42efac7f0c77b2f374853ba7d8c.tar.bz2
Isolation: rootfs: Set the sticky bit on the tmp directory.
When using the 'rootfs' isolation option, by default a tmpfs filesystem is mounted on tmp/. Currently this is mounted with a mode of 0777, i.e drwxrwxrwx. 3 root root 60 Feb 22 11:56 tmp however this should really have the sticky bit[0] set (as is per-normal for such directories) to prevent users from having free reign on the files contained within. What we really want is it mounted with a mode of 01777, i.e drwxrwxrwt. 3 root root 60 Feb 22 11:57 tmp [0]: To quote inode(7) "The sticky bit (S_ISVTX) on a directory means that a file in that directory can be renamed or deleted only by the owner of the file, by the owner of the directory, and by a privileged process." Reviewed-by: Liam Crilly <liam@nginx.com> Signed-off-by: Andrew Clayton <a.clayton@nginx.com>
-rw-r--r--src/nxt_isolation.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/nxt_isolation.c b/src/nxt_isolation.c
index e43cf1f7..614d6bb5 100644
--- a/src/nxt_isolation.c
+++ b/src/nxt_isolation.c
@@ -652,7 +652,7 @@ nxt_isolation_set_lang_mounts(nxt_task_t *task, nxt_process_t *process,
mnt->flags = (NXT_FS_FLAGS_NOSUID
| NXT_FS_FLAGS_NODEV
| NXT_FS_FLAGS_NOEXEC);
- mnt->data = (u_char *) "size=1m,mode=777";
+ mnt->data = (u_char *) "size=1m,mode=1777";
mnt->builtin = 1;
mnt->deps = 0;