lxc-start-ephemeral: Set tmpfs mode to 0755

The tmpfs was mounted with its default mode (1777) which was then picked
up by overlayfs/aufs as the target's mode.

This led to a world writable / in ephemeral containers.

I have confirmed that this issue doesn't impact lxc-clone.

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/lxc/lxc-start-ephemeral.in b/src/lxc/lxc-start-ephemeral.in
index 822f8027884bd13d4a63dd003f76fcee611f59e4..d5690b23448d2afc3eb0ae8bb53020212296c4a0 100644 (file)
--- a/src/lxc/lxc-start-ephemeral.in
+++ b/src/lxc/lxc-start-ephemeral.in
@@ -219,7 +219,7 @@ LXC_NAME="%s"
         fd.write("mkdir -p %s %s\n" % (target, entry[1]))
 
         if args.storage_type == "tmpfs":
-            fd.write("mount -n -t tmpfs none %s\n" % (target))
+            fd.write("mount -n -t tmpfs -o mode=0755 none %s\n" % (target))
 
         if args.union_type == "overlayfs":
             fd.write("mount -n -t overlayfs"