Tighten permissions on created directory#743
Conversation
|
@nalind @mtrmac @vrothberg @rhvgoyal @saschagrunert PTAL |
|
Conceptually, I would expect the permissions of the So I don’t understand how the PR description and the code really relates; at best changing one hard-coded value for another replaces one set of images with non-matching permissions with another set. With my very minimal understanding of overlay, are all of those directories even container-observable? I thought that the permissions of mount points before the mount happens basically don’t matter. Either way, I was expecting some way to apply the permissions from the layer tarball to the root of the extracted tree (or, even, some code that removes something that prevents such permission application, which should be the default behavior). This may well be correct but it is surprising to me at a first glance, and I don’t know enough about overlay or c/storage to immediately say one way or another — I’ll defer to experts. |
|
agree with @mtrmac. We should probably set the same permissions as the rootfs in the image, otherwise switching a hardcoded value for another will silent the rpm warning but can introduce other regressions. As you pointed out, running without Reinstalling |
|
@nalind Didn't we talk about this a while ago, and figured out there was an issue in / of the container. |
|
The root directory of a layer is frequently omitted from layer blobs in images (for example, docker.io/library/fedora), though the one in the bug report appears to be an exception to that. In the case of overlay, if I'm reading the docs right, the permissions on the upper ("diff") directory are the ones that are visible for the mountpoint. |
drivers/overlay/overlay.go
Outdated
| _ = idtools.MkdirAs(lower1Dir, 0500, rootUID, rootGID) | ||
| _ = idtools.MkdirAs(lower2Dir, 0500, rootUID, rootGID) | ||
| _ = idtools.MkdirAs(upperDir, 0500, rootUID, rootGID) | ||
| _ = idtools.MkdirAs(workDir, 0500, rootUID, rootGID) |
There was a problem hiding this comment.
This is run-time feature test code. We delete these directories when the test is finished. What's the purpose of this hunk?
There was a problem hiding this comment.
Just globally changed the permissions.
|
As an alternate approach that I haven't tested, does defaulting the permissions of the "diff" directory for a layer to the permissions of its parent layer's "diff" directory, if it has one, provide the desired result? I'd expect that to bring us more in line the device mapper driver. |
54cca22 to
6d33a94
Compare
3109c8c to
ee02f73
Compare
The mount points of containers are being marked as 755 where a lot of images now come with the default for "/", as 555. The tighter controls on / means that a root process can not modify the / directory without DAC_OVERRIDE. And some consider this better security. Bottom line is tools like `rpm -qVf /` are reporting failures on permissions on / in lots of RPM based images. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
|
Nalin points out that most/alot of container images do not come with ./ inside of them. IE the tar ball contains. (Fedora comes this way) For these containers need a safe default. Fedora, Centos, RHEL have decided that the safe default for /, is 555. So we should go with that. This PR attempts to look at the parent directory or the directory of lower layers and use it. |
vrothberg
left a comment
There was a problem hiding this comment.
LGTM ... Ubuntu is sick atm
|
@giuseppe @vrothberg Please /approve this PR so testing will happen |
|
/approve |
| if err != nil { | ||
| return err | ||
| } | ||
| perms = os.FileMode(st.Mode()) |
There was a problem hiding this comment.
In all instances: AFAICS st.Mode() is already an os.FileMode, so the cast is unnecessary; OTOH the value also includes the file type bits.
So AFAICS this should be perms = st.Mode().Perms().
There was a problem hiding this comment.
if I pass st.Mode() I get this error.
make
GO111MODULE=on go build -mod=vendor -compiler gc -tags " " ./cmd/containers-storage
# github.com/containers/storage/drivers/overlay
drivers/overlay/overlay.go:582:9: cannot use st.Mode() (type uint32) as type os.FileMode in assignment
make: *** [Makefile:53: containers-storage] Error 2
Which indicates that st.Mode() has no value of perms and needs the cast.
Note this is a system.Stat not an os.Stat.
A change introduced by [1] makes it impossible to create a directory entry right under container's root directory, so the test case "should enforce a permissive profile" fails. For the purpose of this test it does not matter where we create the file, so let's do it under /tmp. [1] containers/storage#743 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
A change introduced by [1] makes it impossible to create a directory entry right under container's root directory, so the test case "should enforce a permissive profile" fails. For the purpose of this test it does not matter where we create the file, so let's do it under /tmp. [1] containers/storage#743 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
A change introduced by [1] makes it impossible to create a directory entry right under container's root directory, so the test case "should enforce a permissive profile" fails. For the purpose of this test it does not matter where we create the file, so let's do it under /tmp. [1] containers/storage#743 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> (cherry picked from commit 956463e) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
|
I know this is an old PR but all the relevant people are here, and this is now biting me. It took me quite a while to understand that basically container runtimes have always ignored AI-generated summary in https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 (but of course with a lot of guidance and tweaking from me) I am probably going to work around this in composefs by setting the metadata for |
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5)
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
OCI container layer tars often don't include a root directory entry, and when they do, container runtimes (Podman, Docker) ignore it and use hardcoded defaults. This makes root metadata non-deterministic, causing composefs digest mismatches. For detailed analysis of this issue, see: https://gist.github.com/cgwalters/c18c9337aa9345d763aa446cc95c7847 containers/storage#743 Since the metadata of `/` is ill-defined in the OCI spec, we default to copying it from `/usr` - no one should care if these differ, except for SELinux labels which we handle separately in the boot path. Add new APIs: - copy_root_metadata_from_usr(): copies mode, uid, gid, mtime, xattrs from /usr to root directory - read_container_root(): wrapper that calls read_filesystem() then copy_root_metadata_from_usr() Remove the incomplete have_root_stat/ensure_root_stat() mechanism which only handled mtime, not permissions or other metadata. Update cfsctl commands (compute-id, create-image, create-dumpfile) to use read_container_root() by default. Add --no-propagate-usr-to-root flag to use raw read_filesystem() when root metadata is well-defined. Assisted-by: OpenCode (Opus 4.5) Signed-off-by: Colin Walters <walters@verbum.org>
The mount points of containers are being marked as 755 where
a lot of images now come with the default for "/", as 555.
The tighter controls on / means that a root process can not
modify the / directory without DAC_OVERRIDE. And some consider
this better security. Bottom line is tools like
rpm -qVf /are reporting failures on permissions on / in lots of RPM
based images.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1854566
Signed-off-by: Daniel J Walsh dwalsh@redhat.com