services/agent/pod_agentd: Make socket 666
Change the permissions on the socket to be world accessible. This allows
the applications inside the containers to run with a non-root UID.
Note that the parent directory of the socket is only mounted in
containers that should have access to it. So, this does not give
anything access to the principal to anything new.
Change-Id: I5ef033fdb738ad4c007a61d9a9a279a1abbb6b4a
diff --git a/services/agent/pod_agentd/main.go b/services/agent/pod_agentd/main.go
index e48cd47..569bd4b 100644
--- a/services/agent/pod_agentd/main.go
+++ b/services/agent/pod_agentd/main.go
@@ -100,6 +100,14 @@
if err = i.Listen(socketPath); err != nil {
return err
}
+ // Make the socket available to all users so that the application can
+ // run with a non-root UID.
+ // The socket's parent directory is mounted only in the containers that
+ // should have access to it. So, this doesn't change who has access to
+ // the socket.
+ if err = os.Chmod(socketPath, 0666); err != nil {
+ return err
+ }
<-signals.ShutdownOnSignals(ctx)
return nil
}