Merge pull request #2266 from flatcar/jepio/fix-sysext-ownership

fix ownership of containerd/docker sysext files
2025-09-23 22:51:03 +02:00 · 2024-09-02 10:01:49 +02:00 · 2024-09-02 10:01:49 +02:00 · a7464f71cf
commit a7464f71cf
parent 79bfdcba39 412298cd39
4 changed files with 11 additions and 2 deletions
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"

 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"

 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"

 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"

 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"
--- a/6
+++ b/6
@ -295,6 +295,12 @@ printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/install-root/usr/lib/extension-r
 info "Removing opaque directory markers to always merge all contents"
 find "${BUILD_DIR}/install-root" -xdev -type d -exec sh -c 'if [ "$(attr -R -q -g overlay.opaque {} 2>/dev/null)" = y ]; then attr -R -r overlay.opaque {}; fi' \;

+info "Checking for invalid file ownership"
+invalid_files=$(find "${BUILD_DIR}/install-root" -user sdk -or -group sdk)
+if [[ -n "${invalid_files}" ]]; then
+  die "Invalid file ownership: ${invalid_files}"
+fi
+
 mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
               -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}
--- a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))
				`@ -0,0 +1 @@`
				`- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))`