From 4058ba2e604c68c84ae8ba10766a79fcd7e4ff82 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:16:25 +0200
Subject: [PATCH 1/3] build_library: Don't preserve file ownership when copying
 sysext files

The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.

Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_library/sysext_mangle_containerd-flatcar | 3 ++-
 build_library/sysext_mangle_docker-flatcar     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar
index 1d3502d33a..37b89e52dd 100755
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar
index b2c055324d..6928716023 100755
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

From 9429d2f2e160c2125d28fea0dc2a1e491b59dda5 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:42:34 +0200
Subject: [PATCH 2/3] build_sysext: Add check for invalid file permissions in
 sysext

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_sysext | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build_sysext b/build_sysext
index 7986adb96d..823313ef3d 100755
--- a/build_sysext
+++ b/build_sysext
@@ -295,6 +295,12 @@ printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/install-root/usr/lib/extension-r
 info "Removing opaque directory markers to always merge all contents"
 find "${BUILD_DIR}/install-root" -xdev -type d -exec sh -c 'if [ "$(attr -R -q -g overlay.opaque {} 2>/dev/null)" = y ]; then attr -R -r overlay.opaque {}; fi' \;
 
+info "Checking for invalid file ownership"
+invalid_files=$(find "${BUILD_DIR}/install-root" -user sdk -or -group sdk)
+if [[ -n "${invalid_files}" ]]; then
+  die "Invalid file ownership: ${invalid_files}"
+fi
+
 mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
                -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}

From 4208d43e8907f6b198d5ab3c70b0a9de835e5f97 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:52:50 +0200
Subject: [PATCH 3/3] changelog: Add entry for sysext file ownership bugfix

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md

diff --git a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
new file mode 100644
index 0000000000..2c0c292909
--- /dev/null
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))