services/agent/pod_agentd: Make socket 666 Change the permissions on the socket to be world accessible. This allows the applications inside the containers to run with a non-root UID. Note that the parent directory of the socket is only mounted in containers that should have access to it. So, this does not give anything access to the principal to anything new. Change-Id: I5ef033fdb738ad4c007a61d9a9a279a1abbb6b4a

commit: 3c90544e19563f85e8bcb6b656a813789e7f11ed [log] [tgz]
author: Robin Thellend <rthellend@google.com> Mon Dec 07 13:47:16 2015 -0800
committer: Robin Thellend <rthellend@google.com> Mon Dec 07 13:47:16 2015 -0800
tree: c2b6a32a73c113a75deab9f9c705917911c03dbc
parent: eefa9dda7ecd57cf49fb643bc8bda9496fc16196 [diff]
diff --git a/services/agent/pod_agentd/main.go b/services/agent/pod_agentd/main.go
index e48cd47..569bd4b 100644
--- a/services/agent/pod_agentd/main.go
+++ b/services/agent/pod_agentd/main.go

@@ -100,6 +100,14 @@
 	if err = i.Listen(socketPath); err != nil {
 		return err
 	}
+	// Make the socket available to all users so that the application can
+	// run with a non-root UID.
+	// The socket's parent directory is mounted only in the containers that
+	// should have access to it. So, this doesn't change who has access to
+	// the socket.
+	if err = os.Chmod(socketPath, 0666); err != nil {
+		return err
+	}
 	<-signals.ShutdownOnSignals(ctx)
 	return nil
 }
commit	3c90544e19563f85e8bcb6b656a813789e7f11ed	[log] [tgz]
author	Robin Thellend <rthellend@google.com>	Mon Dec 07 13:47:16 2015 -0800
committer	Robin Thellend <rthellend@google.com>	Mon Dec 07 13:47:16 2015 -0800
tree	c2b6a32a73c113a75deab9f9c705917911c03dbc
parent	eefa9dda7ecd57cf49fb643bc8bda9496fc16196 [diff]