Skip to content

utils: mkdirall: fix handling of suid/sgid bits#4400

Merged
kolyshkin merged 4 commits intoopencontainers:mainfrom
cyphar:mkdirall-suidsgid-bits
Sep 14, 2024
Merged

utils: mkdirall: fix handling of suid/sgid bits#4400
kolyshkin merged 4 commits intoopencontainers:mainfrom
cyphar:mkdirall-suidsgid-bits

Conversation

@cyphar
Copy link
Copy Markdown
Member

@cyphar cyphar commented Sep 13, 2024
edited
Loading

Draft until filepath-securejoin v0.3.2 is released.

This fixes some minor issues with suid/sgid bits introduced by #4393.

/cc @lifubang
Fixes #4401
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 74139b6 to 85b09d6 Compare September 13, 2024 07:53
@cyphar
tests: add regression test for CVE-2019-19921 / CVE-2023-27561
457e1ff 
We reintroduced this once already because it is quite easy to miss this
subtle aspect of proc mounting. The recent migration to
securejoin.MkdirAllInRoot could have also inadvertently reintroduced
this (though it didn't).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch 2 times, most recently from 14a5320 to 079ebc3 Compare September 13, 2024 08:17
@cyphar
Copy link
Copy Markdown
Member Author

cyphar commented Sep 13, 2024

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

@lifubang
Copy link
Copy Markdown
Member

lifubang commented Sep 13, 2024

@lifubang Can you verify this fixes the dind issue? I added a test which should be a reproducer for the problem you hit.

Has verified that it has indeed fixed the dind issue. Thanks.

@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from 079ebc3 to a93a25e Compare September 13, 2024 10:50
@cyphar cyphar marked this pull request as ready for review September 13, 2024 10:50
@cyphar
Copy link
Copy Markdown
Member Author

cyphar commented Sep 13, 2024

I've released a new version of filepath-securejoin, so this should be ready now.

rata
rata approved these changes Sep 13, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@cyphar
utils: mkdirall: mask silently ignored mode bits to match os.MkdirAll
646efe7 
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
vendor: update to github.com/cyphar/filepath-securejoin@v0.3.2
066b109 
This includes a fix for the handling of S_ISGID directories.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
tests: integration: add setgid mkdirall test
d8844e2 
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the mkdirall-suidsgid-bits branch from a93a25e to d8844e2 Compare September 13, 2024 13:34
rata
rata approved these changes Sep 13, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@rata rata left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still LGTM

kolyshkin
kolyshkin approved these changes Sep 14, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kolyshkin kolyshkin merged commit d5ee7a5 into opencontainers:main Sep 14, 2024
@cyphar cyphar deleted the mkdirall-suidsgid-bits branch September 14, 2024 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rata rata rata approved these changes

@kolyshkin kolyshkin kolyshkin approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

mkdirall regression with filepath.MkdirAll

4 participants

@cyphar @lifubang @rata @kolyshkin