utils: mkdirall: mask silently ignored mode bits to match os.MkdirAll

It turns out that the suid and sgid mode bits are silently ignored by Linux (though the sticky bit is honoured), and some users are requesting mode bits that are ignored. While returning an error (as securejoin does) makes some sense, this is a regression. Ref: https://github.com/cyphar/filepath-securejoin/issues/23 Fixes: dd827f7b71 ("utils: switch to securejoin.MkdirAllHandle") Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
2025-10-08 00:40:40 +08:00 · 2024-09-13 14:33:48 +10:00
parent 457e1ffa4c
commit 646efe70b1
1 changed files with 8 additions and 0 deletions
--- a/libcontainer/utils/utils_unix.go
+++ b/libcontainer/utils/utils_unix.go
@@ -319,6 +319,14 @@ func MkdirAllInRootOpen(root, unsafePath string, mode uint32) (_ *os.File, Err e
 	if mode&^0o7777 != 0 {
 		return nil, fmt.Errorf("tried to include non-mode bits in MkdirAll mode: 0o%.3o", mode)
 	}
+	// Linux (and thus os.MkdirAll) silently ignores the suid and sgid bits if
+	// passed. While it would make sense to return an error in that case (since
+	// the user has asked for a mode that won't be applied), for compatibility
+	// reasons we have to ignore these bits.
+	if ignoredBits := mode &^ 0o1777; ignoredBits != 0 {
+		logrus.Warnf("MkdirAll called with no-op mode bits that are ignored by Linux: 0o%.3o", ignoredBits)
+		mode &= 0o1777
+	}

 	rootDir, err := os.OpenFile(root, unix.O_DIRECTORY|unix.O_CLOEXEC, 0)
 	if err != nil {