From 9ffb4d09279c8a0ca7dcfe23823ae9f56998744b Mon Sep 17 00:00:00 2001
From: Tim Gross <tgross@hashicorp.com>
Date: Fri, 14 Jan 2022 09:59:35 -0500
Subject: [PATCH] drivers: set world-readable permissions on copied resolv.conf

When we copy the system DNS to a task's `resolv.conf`, we should set
the permissions as world-readable so that unprivileged users within
the task can read it.
---
 .changelog/11856.txt               | 3 +++
 drivers/shared/resolvconf/mount.go | 9 ++-------
 2 files changed, 5 insertions(+), 7 deletions(-)
 create mode 100644 .changelog/11856.txt

diff --git a/.changelog/11856.txt b/.changelog/11856.txt
new file mode 100644
index 000000000000..24a38b794443
--- /dev/null
+++ b/.changelog/11856.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+drivers: Fixed a bug where the `resolv.conf` copied from the system was not readable to unprivileged processes within the task
+```
diff --git a/drivers/shared/resolvconf/mount.go b/drivers/shared/resolvconf/mount.go
index 02393478efcd..63954166c835 100644
--- a/drivers/shared/resolvconf/mount.go
+++ b/drivers/shared/resolvconf/mount.go
@@ -69,15 +69,10 @@ func copySystemDNS(dest string) error {
 	}
 	defer in.Close()
 
-	out, err := os.Create(dest)
+	content, err := io.ReadAll(in)
 	if err != nil {
 		return err
 	}
-	defer func() {
-		out.Sync()
-		out.Close()
-	}()
 
-	_, err = io.Copy(out, in)
-	return err
+	return os.WriteFile(dest, content, 0644)
 }