Recent security update changed default permissions of tmpfs

[khuey]

Description

Updating runc recently has resulted in the default permissions on docker tmpfses being 0755 rather than the expected 1777.

Steps to reproduce the issue

1. docker run --tmpfs /my-tmp:exec --rm -it ubuntu:latest ls -al /my-tmp

Describe the results you received and expected

After the security update:

total 0
drwxr-xr-x 2 root root 40 Nov 5 17:54 .
drwxr-xr-x 1 root root 12 Nov 5 17:54 ..

Before the security update

total 0
drwxrwxrwt 2 root root 40 Nov 5 17:55 .
drwxr-xr-x 1 root root 12 Nov 5 17:55 ..

What version of runc are you using?

1.3.3-0ubuntu1~24.04.2

Host OS information

Ubuntu 24.04 LTS

Host kernel information

6.15.0

[cyphar]

Ah, I see what happened. runc will automatically set mode=N to the mode of the mount if it already exists (if it doesn't, mode=N doesn't get set), but in 72fbb34 we moved the creation logic so it happens first and so it will always get set to the mode we used to create the directories (unless it already existed, which isn't the case here). I used 0o755 as the default mode for the auto-created directories.

I'll prepare a patch tomorrow.

[nowheretobefound]

I also experienced this with latest update from https://download.docker.com/linux/debian bookworm stable
on Debian Trixie, it broke all my postgres containers with tmpfs mounted on /dev/shm .

[ieugen]

Same here. all my postgresql containers with tmpfs on /dev/shm broke .

I started seeing some issues with PostgreSQL in container (docker swarm) after server maintenance today (ubuntu 22.04 and docker upgrade from 28.3 -> 28.5.2) .
I get this:

 FATAL:  could not open shared memory segment "/PostgreSQL.2193961348": Permission denied

because I had :

   # - type: tmpfs
      #   target: /dev/shm
      #   tmpfs:
      #     # https://github.com/moby/moby/issues/26714
      #     size: 8192000000

Removing tmpfs fixes postgresql start and stop.

[nowheretobefound]

On debian this rolled back to a working version of runc :

apt install containerd.io=1.7.28-1~debian.13~trixie

Mark it as hold until it is fixed

apt-mark hold containerd.io

[cyphar]

A solution that doesn't open you up to security issues is to manually configure mode=1777 for the tmpfs mount configuration.

[nowheretobefound]

@cyphar Thank you for pointing that out and it is indeed the correct way. However I have not found a way of passing that setting on docker swarm, it just doesnt take effect for me.

[pizaCat]

A solution that doesn't open you up to security issues is to manually configure mode=1777 for the tmpfs mount configuration.

If anyone gets this to work with Docker Swarm please let me know. In a simple docker compose it works fine but I could not get it to work with swarm: it ignores the tmpfs mode.

[cyphar]

If you create a custom image with a directory that has the correct mode, that will be used as the tmpfs mode (i.e., mkdir /tmp; chmod =1777 /tmp). This unfortunately won't help with /dev/shm because /dev gets overmounted with a tmpfs first and so runc can't see the /dev/shm directory.

[pizaCat]

Yeah in my case it's postgres images and it's for a bigger shm. Docker swarm does not respect shm_size either unfortunately.