aboutsummaryrefslogtreecommitdiffstats
path: root/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
diff options
context:
space:
mode:
Diffstat (limited to 'node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java')
-rw-r--r--node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java25
1 files changed, 23 insertions, 2 deletions
diff --git a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
index 964ed5e0e4d..2a2e3d611c9 100644
--- a/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
+++ b/node-admin/src/main/java/com/yahoo/vespa/hosted/node/admin/task/util/fs/ContainerFileSystemProvider.java
@@ -26,6 +26,8 @@ import java.nio.file.attribute.FileAttributeView;
import java.nio.file.attribute.GroupPrincipal;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFileAttributes;
+import java.nio.file.attribute.PosixFilePermission;
+import java.nio.file.attribute.PosixFilePermissions;
import java.nio.file.attribute.UserPrincipal;
import java.nio.file.spi.FileSystemProvider;
import java.util.HashMap;
@@ -44,6 +46,12 @@ import static com.yahoo.yolean.Exceptions.uncheck;
* @author freva
*/
class ContainerFileSystemProvider extends FileSystemProvider {
+
+ private static final FileAttribute<?> DEFAULT_FILE_PERMISSIONS = PosixFilePermissions.asFileAttribute(Set.of( // 0640
+ PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.GROUP_READ));
+ private static final FileAttribute<?> DEFAULT_DIRECTORY_PERMISSIONS = PosixFilePermissions.asFileAttribute(Set.of( // 0750
+ PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE, PosixFilePermission.GROUP_READ, PosixFilePermission.GROUP_EXECUTE));
+
private final ContainerFileSystem containerFs;
private final ContainerUserPrincipalLookupService userPrincipalLookupService;
@@ -82,7 +90,8 @@ class ContainerFileSystemProvider extends FileSystemProvider {
Path pathOnHost = pathOnHost(path);
try (SecureDirectoryStream<Path> sds = leafDirectoryStream(pathOnHost)) {
boolean existedBefore = Files.exists(pathOnHost);
- SeekableByteChannel seekableByteChannel = sds.newByteChannel(pathOnHost.getFileName(), addNoFollow(options), attrs);
+ SeekableByteChannel seekableByteChannel = sds.newByteChannel(
+ pathOnHost.getFileName(), addNoFollow(options), addPermissions(DEFAULT_FILE_PERMISSIONS, attrs));
if (!existedBefore) fixOwnerToContainerRoot(toContainerPath(path));
return seekableByteChannel;
}
@@ -99,7 +108,7 @@ class ContainerFileSystemProvider extends FileSystemProvider {
public void createDirectory(Path dir, FileAttribute<?>... attrs) throws IOException {
Path pathOnHost = pathOnHost(dir);
boolean existedBefore = Files.exists(pathOnHost);
- provider(pathOnHost).createDirectory(pathOnHost);
+ provider(pathOnHost).createDirectory(pathOnHost, addPermissions(DEFAULT_DIRECTORY_PERMISSIONS, attrs));
if (!existedBefore) fixOwnerToContainerRoot(toContainerPath(dir));
}
@@ -324,4 +333,16 @@ class ContainerFileSystemProvider extends FileSystemProvider {
copy[options.length] = LinkOption.NOFOLLOW_LINKS;
return copy;
}
+
+ private static FileAttribute<?>[] addPermissions(FileAttribute<?> defaultPermissions, FileAttribute<?>... attrs) {
+ for (FileAttribute<?> attr : attrs) {
+ if (attr.name().equals("posix:permissions") || attr.name().equals("unix:permissions"))
+ return attrs;
+ }
+
+ FileAttribute<?>[] copy = new FileAttribute<?>[attrs.length + 1];
+ System.arraycopy(attrs, 0, copy, 0, attrs.length);
+ copy[attrs.length] = defaultPermissions;
+ return copy;
+ }
}