Fix ownership of the working dir

The working dir should be owned by the owner of the container. Signed-off-by: Daniel J Walsh <[email protected]>
containers · Apr 27, 2020 · 3319344 · 3319344
1 parent 0b9a534
commit 3319344
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 1 deletion.
diff --git a/run_linux.go b/run_linux.go
@@ -165,7 +165,18 @@ func (b *Builder) Run(command []string, options RunOptions) error {
 	g = nil
 
 	logrus.Debugf("ensuring working directory %q exists", filepath.Join(mountPoint, spec.Process.Cwd))
-	if err = os.MkdirAll(filepath.Join(mountPoint, spec.Process.Cwd), 0755); err != nil && !os.IsExist(err) {
+	// Find out which user (and group) the destination should belong to.
+
+	user, _, err := b.user(mountPoint, options.User)
+	if err != nil {
+		return err
+	}
+	hostUID, hostGID, err := util.GetHostIDs(b.IDMappingOptions.UIDMap, b.IDMappingOptions.GIDMap, user.UID, user.GID)
+	if err != nil {
+		return err
+	}
+	hostOwner := idtools.IDPair{UID: int(hostUID), GID: int(hostGID)}
+	if err = idtools.MkdirAllAndChown(filepath.Join(mountPoint, spec.Process.Cwd), 0755, hostOwner); err != nil {
 		return errors.Wrapf(err, "error ensuring working directory %q exists", spec.Process.Cwd)
 	}
 

diff --git a/tests/bud.bats b/tests/bud.bats
@@ -2065,3 +2065,11 @@ EOM
   run grep "secretthings" <<< "$output"
   expect_output ""
 }
+
+@test "bud with user flags" {
+  _prefetch alpine
+  run_buildah bud --signature-policy ${TESTSDIR}/policy.json ${TESTSDIR}/bud/user
+  expect_output --substring "bin"
+  expect_output --substring "/home/work"
+  run_buildah rmi -a -f
+}
diff --git a/tests/bud/user/Containerfile b/tests/bud/user/Containerfile
@@ -0,0 +1,6 @@
+FROM alpine
+USER bin
+WORKDIR /home/work
+RUN ls -ld /home/work
+RUN touch file
+RUN ls -l /home/work/file