Skip to content

config: add "umask" field to POSIX "user" section #941

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Dec 17, 2019
Merged

config: add "umask" field to POSIX "user" section #941

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@ For POSIX platforms the `user` structure has the following fields:

* **`uid`** (int, REQUIRED) specifies the user ID in the [container namespace](glossary.md#container-namespace).
* **`gid`** (int, REQUIRED) specifies the group ID in the [container namespace](glossary.md#container-namespace).
* **`umask`** (int, OPTIONAL) specifies the [umask][umask_2] of the user. If unspecified, the umask should not be changed from the calling process' umask.
Copy link
Contributor

@wking wking Dec 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: the possessive of “process” is “process's”, see us here and the Linux man pages here.

nit: the “If unspecified…” sentence should go on its own line.

* **`additionalGids`** (array of ints, OPTIONAL) specifies additional group IDs in the [container namespace](glossary.md#container-namespace) to be added to the process.

_Note: symbolic name for uid and gid, such as uname and gname respectively, are left to upper levels to derive (i.e. `/etc/passwd` parsing, NSS, etc)_
Expand All @@ -233,6 +234,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
"user": {
"uid": 1,
"gid": 1,
"umask": 63,
Copy link
Member

@vbatts vbatts Nov 19, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i get that they're just ints, but i wish octals were a viewable in json, and 077 wouldn't be 77

"additionalGids": [5, 6]
},
"env": [
Expand Down Expand Up @@ -291,6 +293,7 @@ _Note: symbolic name for uid and gid, such as uname and gname respectively, are
"user": {
"uid": 1,
"gid": 1,
"umask": 7,
"additionalGids": [2, 8]
},
"env": [
Expand Down Expand Up @@ -843,6 +846,7 @@ Here is a full example `config.json` for reference.
[selinux]:http://selinuxproject.org/page/Main_Page
[no-new-privs]: https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt
[proc_2]: https://www.kernel.org/doc/Documentation/filesystems/proc.txt
[umask.2]: http://pubs.opengroup.org/onlinepubs/009695399/functions/umask.html
Copy link
Contributor

@wking wking Dec 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: POSIX functions should go be in section 3 (or 3p), so umask.2 should be umask.3. umask.2 would be the Linux kernel docs for umask.

nit: you're linking to the 2004 edition of POSIX. I'd rather stay consistent with our other links and use the 2016 edition (#858).

[semver-v2.0.0]: http://semver.org/spec/v2.0.0.html
[ieee-1003.1-2008-xbd-c8.1]: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap08.html#tag_08_01
[ieee-1003.1-2008-functions-exec]: http://pubs.opengroup.org/onlinepubs/9699919799/functions/exec.html
Expand Down
4 changes: 4 additions & 0 deletions schema/config-schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,10 @@
"id": "https://opencontainers.org/schema/bundle/process/user/gid",
"$ref": "defs.json#/definitions/GID"
},
"umask": {
"id": "https://opencontainers.org/schema/bundle/process/user/umask",
"$ref": "defs.json#/definitions/Umask"
},
"additionalGids": {
"id": "https://opencontainers.org/schema/bundle/process/user/additionalGids",
"$ref": "defs.json#/definitions/ArrayOfGIDs"
Expand Down
3 changes: 3 additions & 0 deletions schema/defs.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@
"GID": {
"$ref": "#/definitions/uint32"
},
"Umask": {
Copy link
Contributor

@wking wking Dec 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The indent here is a bit strange. You can automatically format these files by running make fmt in the schema directory.

"$ref": "#/definitions/uint32"
},
"ArrayOfGIDs": {
"type": "array",
"items": {
Expand Down
2 changes: 2 additions & 0 deletions specs-go/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ type User struct {
UID uint32 `json:"uid" platform:"linux,solaris"`
// GID is the group id.
GID uint32 `json:"gid" platform:"linux,solaris"`
// Umask is the umask for the init process.
Umask uint32 `json:"umask,omitempty" platform:"linux,solaris"`
Copy link
Contributor

@wking wking Dec 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Zero is a valid umask (it means “leave the permissions entirely up to the process itself”), so I think we need a pointer here.

// AdditionalGids are additional group ids set for the container's process.
AdditionalGids []uint32 `json:"additionalGids,omitempty" platform:"linux,solaris"`
// Username is the user name.
Expand Down