public_git
/
kaniko
mirror of https://github.com/GoogleContainerTools/kaniko
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix missing setuid flags on COPY --from=build operation (#2089) 

* Fix missing file permissions on multi-stage build

Fixes #2075

When a file with the setuid bit is copied from one stage
to another, the permissions were not copied over properly after
setting ownership on directory and the file itself.

* Update pkg/util/fs_util.go

Co-authored-by: Jason Hall <jason@chainguard.dev>

* Adding boilerplate to dockerfile

* Add bash check to bail with exit code 1 if setuid not present

Co-authored-by: Jason Hall <jason@chainguard.dev>
This commit is contained in:
Tony De La Nuez 2022-05-22 08:20:18 -05:00 committed by GitHub
parent e22346d881
commit 77ac6942a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 38 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
integration/dockerfiles-with-context/issue-2075/Dockerfile Normal file
View File

@ -0,0 +1,28 @@
# Copyright 2022 Google, Inc. All rights reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
FROM docker.io/debian:bullseye-slim as base
FROM base as build
COPY ["top1", "/tmp/top1"]
RUN \
set -eu; \
cp /tmp/top1 /usr/local/bin/top1; \
chown root:root /usr/local/bin/top1; \
chmod u=rxs,go=rx /usr/local/bin/top1; \
ls -lh /usr/local/bin/top1
FROM base as final
COPY --from=build ["/usr/local/bin/top1", "/usr/local/bin/"]
RUN [ -u /usr/local/bin/top1 ]
LABEL \
description="Testing setuid behavior in Kaniko"

BIN
integration/dockerfiles-with-context/issue-2075/top1 Executable file
View File

Binary file not shown.

15
pkg/util/fs_util.go
View File

@ -892,7 +892,11 @@ func getSymlink(path string) error {
func CopyFileOrSymlink(src string, destDir string, root string) error { func CopyFileOrSymlink(src string, destDir string, root string) error {
destFile := filepath.Join(destDir, src) destFile := filepath.Join(destDir, src)
src = filepath.Join(root, src) src = filepath.Join(root, src)
if fi, _ := os.Lstat(src); IsSymlink(fi) { fi, err := os.Lstat(src)
if err != nil {
return errors.Wrap(err, "getting file info")
}
if IsSymlink(fi) {
link, err := os.Readlink(src) link, err := os.Readlink(src)
if err != nil { if err != nil {
return errors.Wrap(err, "copying file or symlink") return errors.Wrap(err, "copying file or symlink")
@ -902,14 +906,15 @@ func CopyFileOrSymlink(src string, destDir string, root string) error {
} }
return os.Symlink(link, destFile) return os.Symlink(link, destFile)
} }
err := otiai10Cpy.Copy(src, destFile) if err := otiai10Cpy.Copy(src, destFile); err != nil {
if err != nil {
return errors.Wrap(err, "copying file") return errors.Wrap(err, "copying file")
} }
err = CopyOwnership(src, destDir, root) if err := CopyOwnership(src, destDir, root); err != nil {
if err != nil {
return errors.Wrap(err, "copying ownership") return errors.Wrap(err, "copying ownership")
} }
if err := os.Chmod(destFile, fi.Mode()); err != nil {
return errors.Wrap(err, "copying file mode")
}
return nil return nil
} }