Description of problem: The mount path of subpath does not get the setgid bit by fsGroup. Version-Release number of selected component (if applicable): openshift v3.9.9 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16 How reproducible: Very Steps to Reproduce: 1. Create a Pod with emptyDir volume kind: Pod apiVersion: v1 metadata: { name: "subpath" } spec: volumes: - { name: "direct", emptyDir: {}} - { name: "subpath", emptyDir: {}} securityContext: fsGroup: 100 # games(35) is member in group users(100) runAsUser: 35 containers: - image: aosqe/hello-openshift name: show volumeMounts: - name: "direct" mountPath: "/mnt/direct" - name: "subpath" mountPath: "/mnt/subpath" subPath: "a" 2. oc rsh kind: Pod apiVersion: v1 metadata: { name: "subpath" } spec: volumes: - { name: "direct", emptyDir: {}} - { name: "subpath", emptyDir: {}} securityContext: fsGroup: 100 # games(35) is member in group users(100) runAsUser: 35 containers: - image: aosqe/hello-openshift name: show volumeMounts: - name: "direct" mountPath: "/mnt/direct" - name: "subpath" mountPath: "/mnt/subpath" subPath: "a" 2. oc exec subpath -- ls /mnt -l Actual results: # oc exec subpath -- ls /mnt -l total 0 drwxrwsrwx 2 root users 6 Mar 15 08:09 direct drwxrwxrwx 2 root users 6 Mar 15 08:09 subpath Noticed the setgid bit is x instead of s. Expected results: The subpath mount path should have setgid bit.
This might be because recursive chmod of volume happens before subpath mount is created.
The last security fixes seem to be cause of this.
The reason is Fchmod in doSafeMakeDir(): https://github.com/openshift/origin/blob/77f8b2956b44a2ccb81f2805ae7f57247c03d8d2/vendor/k8s.io/kubernetes/pkg/util/mount/mount_linux.go#L998 if err = syscall.Fchmod(parentFD, uint32(perm)&uint32(os.ModePerm)); err != nil { return fmt.Errorf("chmod %q failed: %s", currentPath, err) } There are two issues: - "perm&os.ModePerm" filters out sticky and SUID/SGID bits, which is wrong - os.FileMode is not what fchmod() syscall expects - SUID/SGID/sticky flags are on different bits in os.FileMode and fchmod() argument.
Opened issue upstream: https://github.com/kubernetes/kubernetes/issues/61283
fixed by https://github.com/openshift/origin/pull/19010
Verfied on v3.9.20, this is fixed.
Verified on 3.9.24
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1566