Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

utils: mkdirall: fix handling of suid/sgid bits #4400

Merged
merged 4 commits into from
Sep 14, 2024

Conversation

cyphar
Copy link
Member

@cyphar cyphar commented Sep 13, 2024

Draft until filepath-securejoin v0.3.2 is released.

This fixes some minor issues with suid/sgid bits introduced by #4393.

/cc @lifubang
Fixes #4401
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 74139b6 to 85b09d6 Compare September 13, 2024 07:53
We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 14a5320 to 079ebc3 Compare September 13, 2024 08:17
@cyphar
Copy link
Member Author

cyphar commented Sep 13, 2024

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

@lifubang
Copy link
Member

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

Has verified that it has indeed fixed the dind issue. Thanks.

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from 079ebc3 to a93a25e Compare September 13, 2024 10:50
@cyphar cyphar marked this pull request as ready for review September 13, 2024 10:50
@cyphar
Copy link
Member Author

cyphar commented Sep 13, 2024

I've released a new version of filepath-securejoin, so this should be ready now.

Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

libcontainer/utils/utils_unix.go Outdated Show resolved Hide resolved
tests/integration/mounts.bats Show resolved Hide resolved
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from a93a25e to d8844e2 Compare September 13, 2024 13:34
Copy link
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin merged commit d5ee7a5 into opencontainers:main Sep 14, 2024
42 checks passed
@cyphar cyphar deleted the mkdirall-suidsgid-bits branch September 14, 2024 03:33
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

mkdirall regression with filepath.MkdirAll
4 participants