🔧 Preserve suid,sgid and sticky bits when extracting images

2025-07-06 12:07:19 +00:00 · 2021-11-04 11:34:36 +01:00 · 2021-11-04 11:34:36 +01:00 · fba420865a
commit fba420865a
parent 9857bea5ff
4 changed files with 109 additions and 2 deletions
--- a/pkg/api/core/image/extract.go
+++ b/pkg/api/core/image/extract.go
@ -19,6 +19,7 @@ import (
 	"archive/tar"
 	"context"
 	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
@ -208,6 +209,7 @@ func ExtractReader(ctx *types.Context, reader io.ReadCloser, output string, keep
 		PAX, Xattrs map[string]string
 		Uid, Gid    int
 		Name        string
+		FileMode    fs.FileMode
 	}

 	permstore, err := ctx.Config.System.TempDir("permstore")
@ -222,8 +224,9 @@ func ExtractReader(ctx *types.Context, reader io.ReadCloser, output string, keep
 			perms.SetValue(h.Name, permData{
 				PAX: h.PAXRecords,
 				Uid: h.Uid, Gid: h.Gid,
-				Xattrs: h.Xattrs,
-				Name:   h.Name,
+				Xattrs:   h.Xattrs,
+				Name:     h.Name,
+				FileMode: h.FileInfo().Mode(),
 			})
 			//perms = append(perms, })
 		}
@ -249,6 +252,10 @@ func ExtractReader(ctx *types.Context, reader io.ReadCloser, output string, keep
 				if err := os.Lchown(ff, p.Uid, p.Gid); err != nil {
 					ctx.Warning(err, "failed chowning file")
 				}
+				ctx.Debug("Set", p.Name, p.FileMode)
+				if err := os.Chmod(ff, p.FileMode); err != nil {
+					ctx.Warning(err, "failed chmod file")
+				}
 			}
 			for _, attrs := range []map[string]string{p.Xattrs, p.PAX} {
 				for k, attr := range attrs {
--- a/tests/fixtures/extra_perms/pkgA/0.1/build.yaml
+++ b/tests/fixtures/extra_perms/pkgA/0.1/build.yaml
@ -0,0 +1,18 @@
+image: "alpine"
+unpack: true
+includes:
+  - /foo
+  - /foo/bar
+  - /foo/bar/suid
+  - /foo/bar/sticky
+  - /foo/bar/sgid
+steps:
+- mkdir -p /foo/bar
+- touch /foo/bar/suid
+- touch /foo/bar/sgid
+- touch /foo/bar/sticky
+- chown 100:100 /foo/bar
+- chown 101:101 /foo/bar/suid
+- chmod u+s /foo/bar/suid
+- chmod u-s,g+s /foo/bar/sgid
+- chmod +t /foo/bar/sticky
--- a/tests/fixtures/extra_perms/pkgA/0.1/definition.yaml
+++ b/tests/fixtures/extra_perms/pkgA/0.1/definition.yaml
@ -0,0 +1,3 @@
+category: "test"
+name: "extra-perms"
+version: "0.1"
--- a/tests/integration/36_extra_perm_bits.sh
+++ b/tests/integration/36_extra_perm_bits.sh
@ -0,0 +1,79 @@
+#!/bin/bash
+
+export LUET_NOLOCK=true
+
+oneTimeSetUp() {
+export tmpdir="$(mktemp -d)"
+}
+
+oneTimeTearDown() {
+    rm -rf "$tmpdir"
+}
+
+testBuild() {
+    [ "$LUET_BACKEND" == "img" ] && startSkipping
+    mkdir $tmpdir/testbuild
+    luet build -d --tree "$ROOT_DIR/tests/fixtures/extra_perms" --same-owner=true --destination $tmpdir/testbuild --compression gzip --full
+    buildst=$?
+    assertTrue 'create package perms 0.1' "[ -e '$tmpdir/testbuild/extra-perms-test-0.1.package.tar.gz' ]"
+    assertEquals 'builds successfully' "$buildst" "0"
+}
+
+testRepo() {
+    [ "$LUET_BACKEND" == "img" ] && startSkipping
+    assertTrue 'no repository' "[ ! -e '$tmpdir/testbuild/repository.yaml' ]"
+    luet create-repo --tree "$ROOT_DIR/tests/fixtures/extra_perms" \
+    --output $tmpdir/testbuild \
+    --packages $tmpdir/testbuild \
+    --name "test" \
+    --descr "Test Repo" \
+    --urls $tmpdir/testrootfs \
+    --type http
+
+    createst=$?
+    assertEquals 'create repo successfully' "$createst" "0"
+    assertTrue 'create repository' "[ -e '$tmpdir/testbuild/repository.yaml' ]"
+}
+
+testConfig() {
+    [ "$LUET_BACKEND" == "img" ] && startSkipping
+    mkdir $tmpdir/testrootfs
+    cat <<EOF > $tmpdir/luet.yaml
+general:
+  debug: true
+system:
+  rootfs: $tmpdir/testrootfs
+  database_path: "/"
+  database_engine: "boltdb"
+config_from_host: true
+repositories:
+   - name: "main"
+     type: "disk"
+     enable: true
+     urls:
+       - "$tmpdir/testbuild"
+EOF
+    luet config --config $tmpdir/luet.yaml
+    res=$?
+    assertEquals 'config test successfully' "$res" "0"
+}
+
+testInstall() {
+    [ "$LUET_BACKEND" == "img" ] && startSkipping
+    $ROOT_DIR/tests/integration/bin/luet install -y --config $tmpdir/luet.yaml test/extra-perms
+    installst=$?
+    assertEquals 'install test successfully' "$installst" "0"
+   
+    tree $tmpdir/testrootfs/foo/bar
+    assertTrue 'package installed bar' "[ -d '$tmpdir/testrootfs/foo/bar' ]"
+
+    assertContains 'perms2' "$(stat -c %u:%g $tmpdir/testrootfs/foo/bar)" "100:100"
+    assertContains 'suid' "$(stat -c %a $tmpdir/testrootfs/foo/bar/suid)" "4644"
+    assertContains 'sgid' "$(stat -c %a $tmpdir/testrootfs/foo/bar/sgid)" "2644"
+    assertContains 'sticky' "$(stat -c %a $tmpdir/testrootfs/foo/bar/sticky)" "1644"
+}
+
+
+# Load shUnit2.
+. "$ROOT_DIR/tests/integration/shunit2"/shunit2
+