From 4058ba2e604c68c84ae8ba10766a79fcd7e4ff82 Mon Sep 17 00:00:00 2001 From: Jeremi Piotrowski Date: Fri, 30 Aug 2024 09:16:25 +0200 Subject: [PATCH] build_library: Don't preserve file ownership when copying sysext files The docker and containerd copy files from the repository, which are owned by the sdk user. This ownership leaks into the final image, which means the first created user could edit systemd files. This is bad. Modify the cp invocation to copy files without preserving ownership. The sysext-mangle script is called by build_sysext, which is executed using sudo. Signed-off-by: Jeremi Piotrowski --- build_library/sysext_mangle_containerd-flatcar | 3 ++- build_library/sysext_mangle_docker-flatcar | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar index 1d3502d33a..37b89e52dd 100755 --- a/build_library/sysext_mangle_containerd-flatcar +++ b/build_library/sysext_mangle_containerd-flatcar @@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)" files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd" echo ">>> NOTICE $0: installing extra files from '${files_dir}'" -cp -va "${files_dir}/"* "${rootfs}" +# ATTENTION: don't preserve ownership as repo is owned by sdk user +cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}" mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d" { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf" diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar index b2c055324d..6928716023 100755 --- a/build_library/sysext_mangle_docker-flatcar +++ b/build_library/sysext_mangle_docker-flatcar @@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)" files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker" echo ">>> NOTICE $0: installing extra files from '${files_dir}'" -cp -va "${files_dir}/"* "${rootfs}" +# ATTENTION: don't preserve ownership as repo is owned by sdk user +cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}" mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d" { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"