From 44e266b7a71ee60de28ec05e93a15058c6278350 Mon Sep 17 00:00:00 2001
From: Derek McGowan <derek@mcgstyle.net>
Date: Fri, 25 Aug 2017 13:10:39 -0700
Subject: [PATCH] Use RootPath for resolving path inside of an image

Prevents unintentional lookup of host passwd file

Signed-off-by: Derek McGowan <derek@mcgstyle.net>
---
 spec_opts_unix.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/spec_opts_unix.go b/spec_opts_unix.go
index 7c9a575a3..42a312fe5 100644
--- a/spec_opts_unix.go
+++ b/spec_opts_unix.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/containerd/containerd/containers"
 	"github.com/containerd/containerd/content"
+	"github.com/containerd/containerd/fs"
 	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/namespaces"
 	"github.com/opencontainers/image-spec/identity"
@@ -322,7 +323,11 @@ func WithUserID(uid uint32) SpecOpts {
 			}
 		}
 		defer unix.Unmount(root, 0)
-		f, err := os.Open(filepath.Join(root, "/etc/passwd"))
+		ppath, err := fs.RootPath(root, "/etc/passwd")
+		if err != nil {
+			return err
+		}
+		f, err := os.Open(ppath)
 		if err != nil {
 			return err
 		}
@@ -370,7 +375,11 @@ func WithUsername(username string) SpecOpts {
 			}
 		}
 		defer unix.Unmount(root, 0)
-		f, err := os.Open(filepath.Join(root, "/etc/passwd"))
+		ppath, err := fs.RootPath(root, "/etc/passwd")
+		if err != nil {
+			return err
+		}
+		f, err := os.Open(ppath)
 		if err != nil {
 			return err
 		}