From 3efaa61ebe826adb2e66168d399ef3d0466fba7f Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:16:25 +0200
Subject: [PATCH 1/3] build_library: Don't preserve file ownership when copying
 sysext files

The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.

Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_library/sysext_mangle_containerd-flatcar | 3 ++-
 build_library/sysext_mangle_docker-flatcar     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar
index 1d3502d33a..37b89e52dd 100755
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar
index b2c055324d..6928716023 100755
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

From a568ada5c5350eeb7502a5d6bcb0c1abebedd072 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:42:34 +0200
Subject: [PATCH 2/3] build_sysext: Add check for invalid file permissions in
 sysext

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_sysext | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build_sysext b/build_sysext
index 7986adb96d..823313ef3d 100755
--- a/build_sysext
+++ b/build_sysext
@@ -295,6 +295,12 @@ printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/install-root/usr/lib/extension-r
 info "Removing opaque directory markers to always merge all contents"
 find "${BUILD_DIR}/install-root" -xdev -type d -exec sh -c 'if [ "$(attr -R -q -g overlay.opaque {} 2>/dev/null)" = y ]; then attr -R -r overlay.opaque {}; fi' \;
 
+info "Checking for invalid file ownership"
+invalid_files=$(find "${BUILD_DIR}/install-root" -user sdk -or -group sdk)
+if [[ -n "${invalid_files}" ]]; then
+  die "Invalid file ownership: ${invalid_files}"
+fi
+
 mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
                -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}

From 6fad42fc905f509f506ba16050b50f7c32016e56 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:52:50 +0200
Subject: [PATCH 3/3] changelog: Add entry for sysext file ownership bugfix

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md

diff --git a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
new file mode 100644
index 0000000000..2c0c292909
--- /dev/null
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))