mkdirall: os.MkdirAll incompatibility wrt suid and sgid bits #23
Comments
This was referenced Sep 13, 2024
cyphar
added a commit
to cyphar/runc
that referenced
this issue
Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/runc
that referenced
this issue
Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/runc
that referenced
this issue
Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/runc
that referenced
this issue
Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
cyphar
added a commit
to cyphar/runc
that referenced
this issue
Sep 13, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: dd827f7 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
dims
pushed a commit
to dims/libcontainer
that referenced
this issue
Oct 19, 2024
It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: cyphar/filepath-securejoin#23 Fixes: a447f5b ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If you pass the suid/sgid bits to
mkdirat, POSIX systems ignore those bits (Linux does honour the sticky bit but other operating systems don't). This is expected behaviour documented in the Linux man pages. Go'sos.Mkdironly guarantees that the sticky bit is set and silently ignores the suid and sgid bits.My philosophy was that we don't want to ignore bits users requested. However, it seems that with runc some users set nonsense bits and don't care about the results. In runc, we can fix this by masking those bits explicitly -- but should change our behaviour to give a more useful error if you pass those bits?
I noticed this while working on tests, but decided to not do any special handling until someone found a real example of it. Reported as an actual issue by @lifubang in opencontainers/runc#4393 (comment).
The text was updated successfully, but these errors were encountered: