From 3dbee0ec368f3ea8c31f49c8b1a4617cc32bcce9 Mon Sep 17 00:00:00 2001
From: "Yuan (Bob) Gong" <4957653+Bobgy@users.noreply.github.com>
Date: Wed, 30 Jun 2021 22:16:51 +0800
Subject: [PATCH] fix(executor): emissary - make argoexec executable from
 non-root containers. Fixes #6238 (#6247)

Signed-off-by: Yuan Gong <gongyuan94@gmail.com>

Co-authored-by: Alex Collins <alexec@users.noreply.github.com>
---
 workflow/executor/emissary/binary.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/workflow/executor/emissary/binary.go b/workflow/executor/emissary/binary.go
index 10d66dea5b75..f0377989ccee 100644
--- a/workflow/executor/emissary/binary.go
+++ b/workflow/executor/emissary/binary.go
@@ -16,7 +16,9 @@ func copyBinary() error {
 		return err
 	}
 	defer func() { _ = in.Close() }()
-	out, err := os.OpenFile("/var/run/argo/argoexec", os.O_RDWR|os.O_CREATE, 0o500) // r-x------
+	// argoexec needs to be executable from non-root user in the main container.
+	// Therefore we set permission 0o555 == r-xr-xr-x.
+	out, err := os.OpenFile("/var/run/argo/argoexec", os.O_RDWR|os.O_CREATE, 0o555)
 	if err != nil {
 		return err
 	}