From 260963a354d972201ffe9a6ce882f1c0e9b319d9 Mon Sep 17 00:00:00 2001
From: Jaroslav Jindrak <dzejrou@gmail.com>
Date: Sat, 23 Dec 2023 21:41:54 +0100
Subject: [PATCH 1/2] shim: Create pid-file with 0644 permissions

Fixes ae7021300

In ae7021300 the WritePidFile and WriteAddress functions were
changed to use AtomicFile instead of os.CreateFile. However,
AtomicFile creates a temporary file and then changes its permissions
with os.Chmod which alters the previously observed behavior of
os.CreateFile which takes the system's umask into account.

This means that on Linux-based systems these files suddenly
became world writable (#9363). The address file has since been
removed, but pid-file was still created as world writable. This
commit explicitly requests 0644 permissions as even on systems
without default umask of 0022 there is no reason to have these
two files world writable.

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
(cherry picked from commit 9d328410a5c7bab106fe81cd37a36e4534ce9205)
Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
---
 runtime/v2/shim/util.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
index fce1318a63ad..3740d87dbf8a 100644
--- a/runtime/v2/shim/util.go
+++ b/runtime/v2/shim/util.go
@@ -126,7 +126,7 @@ func WritePidFile(path string, pid int) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}

From 8d82242eb525f87b91bbc2c2499559855dd363cf Mon Sep 17 00:00:00 2001
From: Jaroslav Jindrak <dzejrou@gmail.com>
Date: Sat, 23 Dec 2023 21:46:12 +0100
Subject: [PATCH 2/2] shim: Create address file with 0644 permissions

Fixes ae70213

In ae70213 the WritePidFile and WriteAddress functions were
changed to use AtomicFile instead of os.CreateFile. However,
AtomicFile creates a temporary file and then changes its permissions
with os.Chmod which alters the previously observed behavior of
os.CreateFile which takes the system's umask into account.

This means that on Linux-based systems these files suddenly
became world writable (#9363).

Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com>
---
 runtime/v2/shim/util.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/runtime/v2/shim/util.go b/runtime/v2/shim/util.go
index 3740d87dbf8a..e8cfeec077c5 100644
--- a/runtime/v2/shim/util.go
+++ b/runtime/v2/shim/util.go
@@ -144,7 +144,7 @@ func WriteAddress(path, address string) error {
 	if err != nil {
 		return err
 	}
-	f, err := atomicfile.New(path, 0o666)
+	f, err := atomicfile.New(path, 0o644)
 	if err != nil {
 		return err
 	}