properly skip mounted files

cpavot · Nov 8, 2017 · a5d9ea8 · a5d9ea8
1 parent c8626b5
commit a5d9ea8
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 6 deletions.
diff --git a/docker/alpine/Dockerfile b/docker/alpine/Dockerfile
@@ -8,3 +8,6 @@ RUN chmod u+s /usr/local/bin/fixuid && \
     chown -R docker:docker /tmp/*
 
 USER docker:docker
+
+RUN touch /home/docker/aaa && \
+    touch /home/docker/zzz
diff --git a/docker/centos/Dockerfile b/docker/centos/Dockerfile
@@ -8,3 +8,6 @@ RUN chmod u+s /usr/local/bin/fixuid && \
     chown -R docker:docker /tmp/*
 
 USER docker:docker
+
+RUN touch /home/docker/aaa && \
+    touch /home/docker/zzz
diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
@@ -8,3 +8,6 @@ RUN chmod u+s /usr/local/bin/fixuid && \
     chown -R docker:docker /tmp/*
 
 USER docker:docker
+
+RUN touch /home/docker/aaa && \
+    touch /home/docker/zzz
diff --git a/docker/fs-stage/usr/local/bin/fixuid-mount-test.sh b/docker/fs-stage/usr/local/bin/fixuid-mount-test.sh
@@ -5,7 +5,7 @@ expected_gid=$2
 
 rc=0
 
-files="/home/docker/tmp/test-dir /home/docker/tmp/test-dir/test-file /home/docker/tmp/test-file"
+files="/home/docker/mnt-dir/test-dir /home/docker/mnt-dir/test-dir/test-file /home/docker/mnt-dir/test-file /home/docker/mnt-file"
 for file in $files
 do
     file_uid=$(stat -c "%u" $file)

diff --git a/docker/fs-stage/usr/local/bin/fixuid-test.sh b/docker/fs-stage/usr/local/bin/fixuid-test.sh
@@ -26,7 +26,7 @@ then
     rc=1
 fi
 
-files="/tmp/test-dir /tmp/test-dir/test-file /tmp/test-file /home/docker"
+files="/tmp/test-dir /tmp/test-dir/test-file /tmp/test-file /home/docker /home/docker/aaa /home/docker/zzz"
 for file in $files
 do
     file_user=$(stat -c "%U" $file)

diff --git a/fixuid.go b/fixuid.go
@@ -190,7 +190,13 @@ func main() {
 
 			// prevent recursing into mounts - skip if it is not the same device as /
 			if sys.Dev != rootDev {
-				return filepath.SkipDir
+				if sys.Uid == containerUIDUint32 && sys.Gid == containerGIDUint32 {
+					logger.Println("skipping mounted path " + filePath)
+				}
+				if fileInfo.IsDir() {
+					return filepath.SkipDir
+				}
+				return nil
 			}
 
 			// only chown if file is containerUID:containerGID

diff --git a/test.sh b/test.sh
@@ -91,8 +91,8 @@ echo "\ndebian run twice entrypoint"
 docker run --rm --entrypoint fixuid fixuid-debian sh -c "fixuid-test.sh docker docker && fixuid fixuid-test.sh docker docker"
 
 echo "\nalpine should not chown mount"
-docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/tmp -u 1234:1234 fixuid-alpine sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"
+docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/mnt-dir -v $(pwd)/docker/fs-stage/tmp/test-file:/home/docker/mnt-file -u 1234:1234 fixuid-alpine sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"
 echo "\ncentos should not chown mount"
-docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/tmp -u 1234:1234 fixuid-centos sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"
+docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/mnt-dir -v $(pwd)/docker/fs-stage/tmp/test-file:/home/docker/mnt-file -u 1234:1234 fixuid-centos sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"
 echo "\ndebian should not chown mount"
-docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/tmp -u 1234:1234 fixuid-debian sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"
+docker run --rm -v $(pwd)/docker/fs-stage/tmp:/home/docker/mnt-dir -v $(pwd)/docker/fs-stage/tmp/test-file:/home/docker/mnt-file -u 1234:1234 fixuid-debian sh -c "fixuid-test.sh docker docker && fixuid-mount-test.sh $(id -u) $(id -g)"