From 1f6b10b699524daf3057c37e42c07ae6fa7e354f Mon Sep 17 00:00:00 2001 From: Michael Crosby Date: Wed, 9 Aug 2017 11:13:44 -0400 Subject: [PATCH] Use lchown when remapping rootfs Use lchown when remapping the container's rootfs as to ensure that the symlink has the correct permissions but the underlying file that it points to is not modified. Remapping on the host can cause host files to change outside of the rootfs if symlinks are dereferenced. Signed-off-by: Michael Crosby --- spec_unix.go | 17 ++++------------- 1 file changed, 4 insertions(+), 13 deletions(-) diff --git a/spec_unix.go b/spec_unix.go index 79d3fc9fe..39d182d41 100644 --- a/spec_unix.go +++ b/spec_unix.go @@ -6,12 +6,10 @@ import ( "io/ioutil" "os" "path/filepath" - "strings" "syscall" "golang.org/x/sys/unix" - "github.com/containerd/containerd/fs" "github.com/containerd/containerd/mount" specs "github.com/opencontainers/runtime-spec/specs-go" ) @@ -177,17 +175,10 @@ func incrementFS(root string, uidInc, gidInc uint32) filepath.WalkFunc { return nil } var ( - stat = info.Sys().(*syscall.Stat_t) - u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc) - symlink = info.Mode()&os.ModeSymlink != 0 + stat = info.Sys().(*syscall.Stat_t) + u, g = int(stat.Uid + uidInc), int(stat.Gid + gidInc) ) - // make sure we resolve links inside the root for symlinks - if path, err = fs.RootPath(root, strings.TrimPrefix(path, root)); err != nil { - return err - } - if err := os.Chown(path, u, g); err != nil && !symlink { - return err - } - return nil + // be sure the lchown the path as to not de-reference the symlink to a host file + return os.Lchown(path, u, g) } }