From ff6279a6b034d610273133bad028ef20f68cf5db Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:16:25 +0200
Subject: [PATCH 1/3] build_library: Don't preserve file ownership when copying
 sysext files

The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.

Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_library/sysext_mangle_containerd-flatcar | 3 ++-
 build_library/sysext_mangle_docker-flatcar     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar
index 1d3502d33a..37b89e52dd 100755
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar
index b2c055324d..6928716023 100755
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

From 247fcc2e93c4530c77dd299998acbe946276b2bf Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:42:34 +0200
Subject: [PATCH 2/3] build_sysext: Add check for invalid file permissions in
 sysext

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_sysext | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build_sysext b/build_sysext
index 7986adb96d..823313ef3d 100755
--- a/build_sysext
+++ b/build_sysext
@@ -295,6 +295,12 @@ printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/install-root/usr/lib/extension-r
 info "Removing opaque directory markers to always merge all contents"
 find "${BUILD_DIR}/install-root" -xdev -type d -exec sh -c 'if [ "$(attr -R -q -g overlay.opaque {} 2>/dev/null)" = y ]; then attr -R -r overlay.opaque {}; fi' \;
 
+info "Checking for invalid file ownership"
+invalid_files=$(find "${BUILD_DIR}/install-root" -user sdk -or -group sdk)
+if [[ -n "${invalid_files}" ]]; then
+  die "Invalid file ownership: ${invalid_files}"
+fi
+
 mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
                -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}

From 412298cd391fcc527fe167c798e1b542eb54844e Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:52:50 +0200
Subject: [PATCH 3/3] changelog: Add entry for sysext file ownership bugfix

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md

diff --git a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
new file mode 100644
index 0000000000..2c0c292909
--- /dev/null
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))