Don't expose account names when creating tar files with hard-coded ac…

…count IDs A prerequisite for fixing containers/image#1627 . Signed-off-by: Miloslav Trmač <mitr@redhat.com>
mtrmac · Nov 28, 2023 · 819ac44 · 819ac44
1 parent d731b42
commit 819ac44
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
@@ -534,6 +534,10 @@ func (ta *tarAppender) addTarFile(path, name string) error {
 	if ta.ChownOpts != nil {
 		hdr.Uid = ta.ChownOpts.UID
 		hdr.Gid = ta.ChownOpts.GID
+		// Don’t expose the user names from the local system; they probably don’t match the ta.ChownOpts value anyway,
+		// and they unnecessarily give recipients of the tar file potentially private data.
+		hdr.Uname = ""
+		hdr.Gname = ""
 	}
 
 	maybeTruncateHeaderModTime(hdr)