diff --git a/ecs-agent/daemonimages/csidriver/driver/node.go b/ecs-agent/daemonimages/csidriver/driver/node.go index 79f9dee6ecd..b2edd3efaea 100644 --- a/ecs-agent/daemonimages/csidriver/driver/node.go +++ b/ecs-agent/daemonimages/csidriver/driver/node.go @@ -261,30 +261,15 @@ func (d *nodeService) NodeStageVolume(ctx context.Context, req *csi.NodeStageVol // Gid is generated based on SourceVolumeHostPath gid := util.GenerateGIDFromPath(sourceVolumeHostPath) + // Set permissions on the mount point to allow non-root users to access it - if err := setMountPointPermissions(target, gid); err != nil { + if err := setMountPointPermissions(target, gid, volumeID); err != nil { return nil, status.Errorf(codes.Internal, "Failed to set permissions on mount point %s: %v", target, err) } - klog.V(4).InfoS("Successfully set permissions on mount point", "target", target, "volumeID", volumeID, "gid", gid) return &csi.NodeStageVolumeResponse{}, nil } -// setMountPointPermissions sets the permissions on the mount point to allow non-root users to access it -func setMountPointPermissions(mountPath string, gid int) error { - // Change group ownership to the provided GID - if err := chownFunc(mountPath, -1, gid); err != nil { - return fmt.Errorf("failed to change group ownership of %s to GID %d: %v", mountPath, gid, err) - } - - // Set permissions to 0775 with setgid bit - if err := chmodFunc(mountPath, 0775|os.ModeSetgid); err != nil { - return fmt.Errorf("failed to set permissions on %s: %v", mountPath, err) - } - - return nil -} - func newNodeService() nodeService { klog.V(4).InfoS("New node service") nodeMounter, err := newNodeMounter() diff --git a/ecs-agent/daemonimages/csidriver/driver/node_linux.go b/ecs-agent/daemonimages/csidriver/driver/node_linux.go index 73b94abb5e0..f59906b639a 100644 --- a/ecs-agent/daemonimages/csidriver/driver/node_linux.go +++ b/ecs-agent/daemonimages/csidriver/driver/node_linux.go @@ -182,3 +182,19 @@ func (d *nodeService) getBlockSizeBytes(devicePath string, _ string) (int64, err } return gotSizeBytes, nil } + +// setMountPointPermissions sets the permissions on the mount point to allow non-root users to access it +func setMountPointPermissions(mountPath string, gid int, volumeID string) error { + // Change group ownership to the provided GID + if err := chownFunc(mountPath, -1, gid); err != nil { + return fmt.Errorf("failed to change group ownership of %s to GID %d: %v", mountPath, gid, err) + } + + // Set permissions to 0775 with setgid bit + if err := chmodFunc(mountPath, 0775|os.ModeSetgid); err != nil { + return fmt.Errorf("failed to set permissions on %s: %v", mountPath, err) + } + + klog.V(4).InfoS("Successfully set permissions on mount point", "target", mountPath, "volumeID", volumeID, "gid", gid) + return nil +} diff --git a/ecs-agent/daemonimages/csidriver/driver/node_linux_test.go b/ecs-agent/daemonimages/csidriver/driver/node_linux_test.go index 7bb76f7a7ec..13aa17e08ec 100644 --- a/ecs-agent/daemonimages/csidriver/driver/node_linux_test.go +++ b/ecs-agent/daemonimages/csidriver/driver/node_linux_test.go @@ -991,7 +991,7 @@ func TestSetMountPointPermissions(t *testing.T) { } // Call the function - err := setMountPointPermissions(tc.mountPath, tc.gid) + err := setMountPointPermissions(tc.mountPath, tc.gid, "volumeID") // Verify results if tc.expectedError { diff --git a/ecs-agent/daemonimages/csidriver/driver/node_windows.go b/ecs-agent/daemonimages/csidriver/driver/node_windows.go index 970a4605ae8..818074a286b 100644 --- a/ecs-agent/daemonimages/csidriver/driver/node_windows.go +++ b/ecs-agent/daemonimages/csidriver/driver/node_windows.go @@ -28,6 +28,7 @@ import ( "strings" "github.com/aws/amazon-ecs-agent/ecs-agent/daemonimages/csidriver/mounter" + "k8s.io/klog/v2" ) // getBlockSizeBytes gets the size of the disk in bytes @@ -75,3 +76,9 @@ func (d *nodeService) findDevicePath(devicePath, volumeID, _ string) (string, er return foundDiskNumber, nil } + +// setMountPointPermissions is a no-op on Windows because chown/chmod don't work on Windows +func setMountPointPermissions(_ string, _ int, _ string) error { + klog.V(4).InfoS("Skipping setting mount point permissions on Windows") + return nil +}