Windows:Create root/state with ACL

John Howard · John Howard · commit 6034c1950a0e · 2019-03-21T18:47:34.000-07:00
Signed-off-by: John Howard &lt;jhoward@microsoft.com&gt;
diff --git a/services/server/server.go b/services/server/server.go
@@ -43,6 +43,7 @@ import (
 	srvconfig "github.com/containerd/containerd/services/server/config"
 	"github.com/containerd/containerd/snapshots"
 	ssproxy "github.com/containerd/containerd/snapshots/proxy"
+	"github.com/containerd/containerd/sys"
 	metrics "github.com/docker/go-metrics"
 	grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
 	"github.com/pkg/errors"
@@ -61,10 +62,10 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 		return errors.New("root and state must be different paths")
 	}
 
-	if err := os.MkdirAll(config.Root, 0711); err != nil {
+	if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
 		return err
 	}
-	if err := os.MkdirAll(config.State, 0711); err != nil {
+	if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
 		return err
 	}
 	return nil
diff --git a/sys/filesys_unix.go b/sys/filesys_unix.go
@@ -24,3 +24,8 @@ import "os"
 func ForceRemoveAll(path string) error {
 	return os.RemoveAll(path)
 }
+
+// MkdirAllWithACL is a wrapper for os.MkdirAll on Unix systems.
+func MkdirAllWithACL(path string, perm os.FileMode) error {
+	return os.MkdirAll(path, perm)
+}
diff --git a/sys/filesys_windows.go b/sys/filesys_windows.go
@@ -30,6 +30,11 @@ import (
 	"github.com/Microsoft/hcsshim"
 )
 
+const (
+	// SddlAdministratorsLocalSystem is local administrators plus NT AUTHORITY\System
+	SddlAdministratorsLocalSystem = "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
+)
+
 // MkdirAllWithACL is a wrapper for MkdirAll that creates a directory
 // ACL'd for Builtin Administrators and Local System.
 func MkdirAllWithACL(path string, perm os.FileMode) error {
@@ -78,7 +83,7 @@ func mkdirall(path string, adminAndLocalSystem bool) error {
 
 	if j > 1 {
 		// Create parent
-		err = mkdirall(path[0:j-1], false)
+		err = mkdirall(path[0:j-1], adminAndLocalSystem)
 		if err != nil {
 			return err
 		}
@@ -112,8 +117,7 @@ func mkdirall(path string, adminAndLocalSystem bool) error {
 // and Local System.
 func mkdirWithACL(name string) error {
 	sa := syscall.SecurityAttributes{Length: 0}
-	sddl := "D:P(A;OICI;GA;;;BA)(A;OICI;GA;;;SY)"
-	sd, err := winio.SddlToSecurityDescriptor(sddl)
+	sd, err := winio.SddlToSecurityDescriptor(SddlAdministratorsLocalSystem)
 	if err != nil {
 		return &os.PathError{Op: "mkdir", Path: name, Err: err}
 	}

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ import (`
`43`	`43`	`srvconfig "github.com/containerd/containerd/services/server/config"`
`44`	`44`	`"github.com/containerd/containerd/snapshots"`
`45`	`45`	`ssproxy "github.com/containerd/containerd/snapshots/proxy"`
	`46`	`+ "github.com/containerd/containerd/sys"`
`46`	`47`	`metrics "github.com/docker/go-metrics"`
`47`	`48`	`grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"`
`48`	`49`	`"github.com/pkg/errors"`
`@@ -61,10 +62,10 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {`
`61`	`62`	`return errors.New("root and state must be different paths")`
`62`	`63`	`}`
`63`	`64`
`64`		`- if err := os.MkdirAll(config.Root, 0711); err != nil {`
	`65`	`+ if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {`
`65`	`66`	`return err`
`66`	`67`	`}`
`67`		`- if err := os.MkdirAll(config.State, 0711); err != nil {`
	`68`	`+ if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {`
`68`	`69`	`return err`
`69`	`70`	`}`
`70`	`71`	`return nil`
Original file line number	Diff line number	Diff line change
`@@ -24,3 +24,8 @@ import "os"`
`24`	`24`	`func ForceRemoveAll(path string) error {`
`25`	`25`	`return os.RemoveAll(path)`
`26`	`26`	`}`
	`27`	`+`
	`28`	`+// MkdirAllWithACL is a wrapper for os.MkdirAll on Unix systems.`
	`29`	`+func MkdirAllWithACL(path string, perm os.FileMode) error {`
	`30`	`+ return os.MkdirAll(path, perm)`
	`31`	`+}`