Fix directory permissions

AkihiroSuda · AkihiroSuda · commit 0450f046e694 · 2025-10-29T14:48:21.000+09:00
- Create /var/lib/containerd with 0o700 (was: 0o711).
- Create config.TempDir with 0o700 (was: 0o711).
- Create /run/containerd/io.containerd.grpc.v1.cri with 0o700 (was: 0o755).
- Create /run/containerd/io.containerd.sandbox.controller.v1.shim with 0o700 (was: 0o711).
- Leave /run/containerd and /run/containerd/io.containerd.runtime.v2.task created with 0o711,
  as required by userns-remapped containers.
  /run/containerd/io.containerd.runtime.v2.task/&lt;NS&gt;/&lt;ID&gt; is created with:
  - 0o700 for non-userns-remapped containers
  - 0o710 for userns-remapped containers with the remapped root group as the owner group.

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
(cherry picked from commit 51b0cf11dc5af7ed1919beba259e644138b28d96)
Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/pkg/cri/cri.go b/pkg/cri/cri.go
@@ -74,6 +74,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {
 		}
 	}
 
+	if err := os.MkdirAll(ic.State, 0700); err != nil {
+		return nil, err
+	}
+	// chmod is needed for upgrading from an older release that created the dir with 0755
+	if err := os.Chmod(ic.State, 0700); err != nil {
+		return nil, err
+	}
 	c := criconfig.Config{
 		PluginConfig:       *pluginConfig,
 		ContainerdRootDir:  filepath.Dir(ic.Root),
diff --git a/runtime/v2/manager.go b/runtime/v2/manager.go
@@ -134,6 +134,8 @@ type ManagerConfig struct {
 // NewShimManager creates a manager for v2 shims
 func NewShimManager(ctx context.Context, config *ManagerConfig) (*ShimManager, error) {
 	for _, d := range []string{config.Root, config.State} {
+		// root:  the parent of this directory is created as 0700, not 0711.
+		// state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.
 		if err := os.MkdirAll(d, 0711); err != nil {
 			return nil, err
 		}
diff --git a/services/server/server.go b/services/server/server.go
@@ -77,10 +77,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 		return errors.New("root and state must be different paths")
 	}
 
-	if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {
+	if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {
+		return err
+	}
+	// chmod is needed for upgrading from an older release that created the dir with 0o711
+	if err := os.Chmod(config.Root, 0700); err != nil {
 		return err
 	}
 
+	// For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.
+	// Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.
 	if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {
 		return err
 	}
@@ -95,7 +101,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {
 	}
 
 	if config.TempDir != "" {
-		if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {
+		if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {
+			return err
+		}
+		// chmod is needed for upgrading from an older release that created the dir with 0o711
+		if err := os.Chmod(config.Root, 0700); err != nil {
 			return err
 		}
 		if runtime.GOOS == "windows" {

Original file line number	Diff line number	Diff line change
`@@ -74,6 +74,13 @@ func initCRIService(ic *plugin.InitContext) (interface{}, error) {`
`74`	`74`	`}`
`75`	`75`	`}`
`76`	`76`
	`77`	`+ if err := os.MkdirAll(ic.State, 0700); err != nil {`
	`78`	`+ return nil, err`
	`79`	`+ }`
	`80`	`+ // chmod is needed for upgrading from an older release that created the dir with 0755`
	`81`	`+ if err := os.Chmod(ic.State, 0700); err != nil {`
	`82`	`+ return nil, err`
	`83`	`+ }`
`77`	`84`	`c := criconfig.Config{`
`78`	`85`	`PluginConfig: *pluginConfig,`
`79`	`86`	`ContainerdRootDir: filepath.Dir(ic.Root),`
Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,8 @@ type ManagerConfig struct {`
`134`	`134`	`// NewShimManager creates a manager for v2 shims`
`135`	`135`	`func NewShimManager(ctx context.Context, config ManagerConfig) (ShimManager, error) {`
`136`	`136`	`for _, d := range []string{config.Root, config.State} {`
	`137`	`+ // root: the parent of this directory is created as 0700, not 0711.`
	`138`	`+ // state: the parent of this directory is created as 0711 too, so as to support userns-remapped containers.`
`137`	`139`	`if err := os.MkdirAll(d, 0711); err != nil {`
`138`	`140`	`return nil, err`
`139`	`141`	`}`
Original file line number	Diff line number	Diff line change
`@@ -77,10 +77,16 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {`
`77`	`77`	`return errors.New("root and state must be different paths")`
`78`	`78`	`}`
`79`	`79`
`80`		`- if err := sys.MkdirAllWithACL(config.Root, 0711); err != nil {`
	`80`	`+ if err := sys.MkdirAllWithACL(config.Root, 0700); err != nil {`
	`81`	`+ return err`
	`82`	`+ }`
	`83`	`+ // chmod is needed for upgrading from an older release that created the dir with 0o711`
	`84`	`+ if err := os.Chmod(config.Root, 0700); err != nil {`
`81`	`85`	`return err`
`82`	`86`	`}`
`83`	`87`
	`88`	`+ // For supporting userns-remapped containers, the state dir cannot be just mkdired with 0o700.`
	`89`	`+ // Each of plugins creates a dedicated directory beneath the state dir with appropriate permission bits.`
`84`	`90`	`if err := sys.MkdirAllWithACL(config.State, 0711); err != nil {`
`85`	`91`	`return err`
`86`	`92`	`}`
`@@ -95,7 +101,11 @@ func CreateTopLevelDirectories(config *srvconfig.Config) error {`
`95`	`101`	`}`
`96`	`102`
`97`	`103`	`if config.TempDir != "" {`
`98`		`- if err := sys.MkdirAllWithACL(config.TempDir, 0711); err != nil {`
	`104`	`+ if err := sys.MkdirAllWithACL(config.TempDir, 0700); err != nil {`
	`105`	`+ return err`
	`106`	`+ }`
	`107`	`+ // chmod is needed for upgrading from an older release that created the dir with 0o711`
	`108`	`+ if err := os.Chmod(config.Root, 0700); err != nil {`
`99`	`109`	`return err`
`100`	`110`	`}`
`101`	`111`	`if runtime.GOOS == "windows" {`