When a bundle's invocation image is configured to run as a user other than root, the files that we copy into the container before running it are unreadable by the container.
This change has us get the user used by the container, and then ensure that any files we copy into the container are owned by that user. When the image does not specify a user id, then we fall back to copying the files with root owning them.
When a file is injected into a directory that doesn't exist, we explicitly set permissions on that directory so that the container user can read and write to it. So injecting /cnab/app/mystuff/myfile.txt will result in mystuff being owned by the container user as well.
I have changed the permission bits we write since they were also granting permission to the group and others. Now it injects files with only the owner having access. This gives the container the ability to tweak permissions as needed once it starts.
When a bundle's invocation image is configured to run as a user other than root, the files that we copy into the container before running it are unreadable by the container.
This change has us get the user used by the container, and then ensure that any files we copy into the container are owned by that user. When the image does not specify a user id, then we fall back to copying the files with root owning them.
When a file is injected into a directory that doesn't exist, we explicitly set permissions on that directory so that the container user can read and write to it. So injecting /cnab/app/mystuff/myfile.txt will result in mystuff being owned by the container user as well.
I have changed the permission bits we write since they were also granting permission to the group and others. Now it injects files with only the owner having access. This gives the container the ability to tweak permissions as needed once it starts.