From c1158494033321ecff6e12ac1ac8a847a7d278bf Mon Sep 17 00:00:00 2001 From: "Yuan (Bob) Gong" <4957653+Bobgy@users.noreply.github.com> Date: Thu, 8 Jul 2021 23:14:29 +0800 Subject: [PATCH] fix(executor): emissary - make /var/run/argo files readable from non-root users. Fixes #6238 (#6304) Signed-off-by: Yuan Gong --- workflow/executor/emissary/emissary.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/workflow/executor/emissary/emissary.go b/workflow/executor/emissary/emissary.go index 3f20964606f7..a59289987502 100644 --- a/workflow/executor/emissary/emissary.go +++ b/workflow/executor/emissary/emissary.go @@ -62,7 +62,7 @@ func (e emissary) writeTemplate(t wfv1.Template) error { if err != nil { return err } - return ioutil.WriteFile("/var/run/argo/template", data, 0o400) // chmod -r-------- + return ioutil.WriteFile("/var/run/argo/template", data, 0o444) // chmod -r--r--r-- } func (e emissary) GetFileContents(_ string, sourcePath string) (string, error) { @@ -137,7 +137,7 @@ func (e emissary) isComplete(containerNames []string) bool { func (e emissary) Kill(ctx context.Context, containerNames []string, terminationGracePeriodDuration time.Duration) error { for _, containerName := range containerNames { - if err := ioutil.WriteFile("/var/run/argo/ctr/"+containerName+"/signal", []byte(strconv.Itoa(int(syscall.SIGTERM))), 0o600); err != nil { + if err := ioutil.WriteFile("/var/run/argo/ctr/"+containerName+"/signal", []byte(strconv.Itoa(int(syscall.SIGTERM))), 0o644); err != nil { return err } } @@ -148,7 +148,7 @@ func (e emissary) Kill(ctx context.Context, containerNames []string, termination return err } for _, containerName := range containerNames { - if err := ioutil.WriteFile("/var/run/argo/ctr/"+containerName+"/signal", []byte(strconv.Itoa(int(syscall.SIGKILL))), 0o600); err != nil { + if err := ioutil.WriteFile("/var/run/argo/ctr/"+containerName+"/signal", []byte(strconv.Itoa(int(syscall.SIGKILL))), 0o644); err != nil { return err } }