Skip to content

Commit

Permalink
Merge pull request containers#11473 from nalind/build-context-as-root
Browse files Browse the repository at this point in the history
pkg/bindings/images.nTar(): set ownership of build context to 0:0
  • Loading branch information
openshift-merge-robot authored Sep 8, 2021
2 parents 536f23c + 748c270 commit 598d914
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 0 deletions.
3 changes: 3 additions & 0 deletions pkg/bindings/images/build.go
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) {
if err != nil {
return err
}
hdr.Uid, hdr.Gid = 0, 0
orig, ok := seen[di]
if ok {
hdr.Typeflag = tar.TypeLink
Expand Down Expand Up @@ -532,6 +533,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) {
return lerr
}
hdr.Name = name
hdr.Uid, hdr.Gid = 0, 0
if lerr := tw.WriteHeader(hdr); lerr != nil {
return lerr
}
Expand All @@ -545,6 +547,7 @@ func nTar(excludes []string, sources ...string) (io.ReadCloser, error) {
return lerr
}
hdr.Name = name
hdr.Uid, hdr.Gid = 0, 0
if lerr := tw.WriteHeader(hdr); lerr != nil {
return lerr
}
Expand Down
27 changes: 27 additions & 0 deletions test/system/070-build.bats
Original file line number Diff line number Diff line change
Expand Up @@ -929,6 +929,33 @@ EOF
is "$output" ".*test1" "test1 should exists in the final image"
}

@test "podman build build context ownership" {
tmpdir=$PODMAN_TMPDIR/build-test
subdir=$tmpdir/subdir
mkdir -p $subdir

touch $tmpdir/empty-file.txt
if is_remote && ! is_rootless ; then
# TODO: set this file's owner to a UID:GID that will not be mapped
# in the context where the remote server is running, which generally
# requires us to be root (or running with more mapped IDs) on the
# client, but not root (or running with fewer mapped IDs) on the
# remote server
# 4294967292:4294967292 (0xfffffffc:0xfffffffc) isn't that, but
# it will catch errors where a remote server doesn't apply the right
# default as it copies content into the container
chown 4294967292:4294967292 $tmpdir/empty-file.txt
fi
cat >$tmpdir/Dockerfile <<EOF
FROM $IMAGE
COPY empty-file.txt .
RUN echo 0:0 | tee expected.txt
RUN stat -c "%u:%g" empty-file.txt | tee actual.txt
RUN cmp expected.txt actual.txt
EOF
run_podman build -t build_test $tmpdir
}

function teardown() {
# A timeout or other error in 'build' can leave behind stale images
# that podman can't even see and which will cascade into subsequent
Expand Down

0 comments on commit 598d914

Please sign in to comment.