Skip to content

Commit

Permalink
Windows:Create root/state with ACL
Browse files Browse the repository at this point in the history 
Signed-off-by: John Howard <[email protected]>
  • Loading branch information
John Howard committed Mar 22, 2019
1 parent ceba568 commit 6034c19
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 5 deletions.
5 changes: 3 additions & 2 deletions services/server/server.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ import (
srvconfig "github.com/containerd/containerd/services/server/config"
"github.com/containerd/containerd/snapshots"
ssproxy "github.com/containerd/containerd/snapshots/proxy"
"github.com/containerd/containerd/sys"
metrics "github.com/docker/go-metrics"
grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
"github.com/pkg/errors"
Expand All @@ -61,10 +62,10 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
return errors.New("root and state must be different paths")
}

if err := os.MkdirAll(config.Root, 0711); err != nil {
if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
return err
}
if err := os.MkdirAll(config.State, 0711); err != nil {
if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
return err
}
return nil
Expand Down
5 changes: 5 additions & 0 deletions sys/filesys_unix.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,8 @@ import "os"
func ForceRemoveAll(path string) error {
return os.RemoveAll(path)
}

// MkdirAllWithACL is a wrapper for os.MkdirAll on Unix systems.
func MkdirAllWithACL(path string, perm os.FileMode) error {
return os.MkdirAll(path, perm)
}
10 changes: 7 additions & 3 deletions sys/filesys_windows.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ import (
"github.com/Microsoft/hcsshim"
)

const (
// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
)

// MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
// ACL'd for Builtin Administrators and Local System.
func MkdirAllWithACL(path string, perm os.FileMode) error {
Expand Down Expand Up @@ -78,7 +83,7 @@ func mkdirall(path string, adminAndLocalSystem bool) error {

if j > 1 {
// Create parent
err = mkdirall(path[0:j-1], false)
err = mkdirall(path[0:j-1], adminAndLocalSystem)
if err != nil {
return err
}
Expand Down Expand Up @@ -112,8 +117,7 @@ func mkdirall(path string, adminAndLocalSystem bool) error {
// and Local System.
func mkdirWithACL(name string) error {
sa := syscall.SecurityAttributes{Length: 0}
sddl := "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
sd, err := winio.SddlToSecurityDescriptor(sddl)
sd, err := winio.SddlToSecurityDescriptor(SddlAdministratorsLocalSystem)
if err != nil {
return &os.PathError{Op: "mkdir", Path: name, Err: err}
}
Expand Down

0 comments on commit 6034c19

Please sign in to comment.