Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mkdirall: os.MkdirAll incompatibility wrt suid and sgid bits #23

Closed
cyphar opened this issue Sep 13, 2024 · 0 comments · Fixed by #25
Closed

mkdirall: os.MkdirAll incompatibility wrt suid and sgid bits #23

cyphar opened this issue Sep 13, 2024 · 0 comments · Fixed by #25

Comments

@cyphar
Copy link
Owner

cyphar commented Sep 13, 2024

If you pass the suid/sgid bits to mkdirat, POSIX systems ignore those bits (Linux does honour the sticky bit but other operating systems don't). This is expected behaviour documented in the Linux man pages. Go's os.Mkdir only guarantees that the sticky bit is set and silently ignores the suid and sgid bits.

My philosophy was that we don't want to ignore bits users requested. However, it seems that with runc some users set nonsense bits and don't care about the results. In runc, we can fix this by masking those bits explicitly -- but should change our behaviour to give a more useful error if you pass those bits?


I noticed this while working on tests, but decided to not do any special handling until someone found a real example of it. Reported as an actual issue by @lifubang in opencontainers/runc#4393 (comment).

cyphar added a commit to cyphar/runc that referenced this issue Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
cyphar added a commit to cyphar/runc that referenced this issue Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
cyphar added a commit to cyphar/runc that referenced this issue Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
cyphar added a commit to cyphar/runc that referenced this issue Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
cyphar added a commit to cyphar/runc that referenced this issue Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
dims pushed a commit to dims/libcontainer that referenced this issue Oct 19, 2024
It turns out that the suid and sgid mode bits are silently ignored by
Linux (though the sticky bit is honoured), and some users are requesting
mode bits that are ignored. While returning an error (as securejoin
does) makes some sense, this is a regression.

Ref: cyphar/filepath-securejoin#23
Fixes: a447f5b ("utils: switch to securejoin.MkdirAllHandle")
Signed-off-by: Aleksa Sarai <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant