Erroneous set of rwx permissions on etc and usr directories

[D3vil0p3r]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• The documentation does not mention anything about my problem
• There are no open or closed issues that are related to my problem

Description

I have a docker container as an Arch-based Linux distro. Usually I create the container and I push it by the build-push-action but when I create and push the container by this action, when I pull the image and run the container, the filesystem root has the following permissions:

drwxr-xr-x root root  26 B Wed Jun  5 10:27:55 2024  .
drwxr-xr-x root root  26 B Wed Jun  5 10:27:55 2024  ..
.rwxr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  .dockerenv
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  bin ⇒ usr/bin
drwxr-xr-x root root   0 B Sun Apr  7 18:02:30 2024  boot
drwxr-xr-x root root 420 B Wed Jun  5 10:27:55 2024  dev
drwxrwxrwx root root 140 B Wed Jun  5 10:27:58 2024  etc
drwxr-xr-x root root  12 B Wed Jun  5 10:09:04 2024  home
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  lib ⇒ usr/lib
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  lib64 ⇒ usr/lib
drwxr-xr-x root root   0 B Sun Apr  7 18:02:30 2024  mnt
drwxr-xr-x root root  30 B Wed Jun  5 10:07:57 2024  opt
dr-xr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  proc
drwxr-x--- root root  20 B Wed Jun  5 10:09:03 2024 󰉐 root
drwxr-xr-x root root 460 B Wed Jun  5 10:28:00 2024  run
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  sbin ⇒ usr/bin
drwxr-xr-x root root  14 B Sun Jun  2 03:31:09 2024  srv
dr-xr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  sys
drwxrwxrwt root root 200 B Wed Jun  5 11:17:53 2024  tmp
drwxrwxrwx root root  10 B Wed Jun  5 10:05:00 2024  usr
drwxr-xr-x root root  44 B Wed Jun  5 10:27:58 2024  var

Look at etc and usr permissions. It creates several issues (like the /etc/sudoers.d being not working if it is world writable`).

When I build the same container locally and I push it by:

git clone https://github.com/Athena-OS/athena-rdp-docker.git
cd athena-rdp-docker
docker buildx build --tag 'athena-rdp:latest' .

docker login
docker push athenaos/rdp:latest

and then I run it by docker run, the permissions are set correctly.

So I have the described issue only when I use docker action. The GitHub workflow I use for it is:

name: Scheduled Publish

on:
  schedule:
    - cron: '22 4 * * 0'
  workflow_dispatch:

jobs:
  docker-publish:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - 
        name: Log to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      -
        name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: athenaos/rdp:latest

Instructions to run the container are on README of the https://github.com/Athena-OS/athena-rdp-docker repository.

Expected behaviour

/etc and /usr directories and some their subdir should have the right permissions, for example:

drwxr-xr-x root root 3.4 KB Wed Jun  5 10:33:25 2024  etc
drwxr-xr-x root root 162 B  Wed Jun  5 10:33:25 2024  usr

Actual behaviour

The filesystem root has the following permissions:

drwxrwxrwx root root 140 B Wed Jun  5 10:27:58 2024  etc
drwxrwxrwx root root  10 B Wed Jun  5 10:05:00 2024  usr

Repository URL

https://github.com/Athena-OS/athena-rdp-docker

Workflow run URL

https://github.com/Athena-OS/athena-rdp-docker/blob/main/.github/workflows/docker-publish.yml

YAML workflow

name: Scheduled Publish

on:
  schedule:
    - cron: '22 4 * * 0'
  workflow_dispatch:

jobs:
  docker-publish:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - 
        name: Log to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      -
        name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: athenaos/rdp:latest

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

[D3vil0p3r]

I further investigated, and I noted that the issue is caused still by COPY rootfs/ / when it is parsed by build-push-action. In practice, build-push-action when copies all the files and directories to the root of the container, it copies them with all write permissions.

[crazy-max]

Thanks for reporting.

This looks related to BuildKit, not the GitHub action. Building your project with this Dockerfile locally gives the same behavior:

FROM athenaos/base:latest
RUN ls -al /
COPY rootfs/ /
RUN ls -al /

$ docker buildx build --no-cache --progress=plain .
...
#5 [internal] load build context
#5 transferring context: 1.77kB 0.2s done
#5 DONE 0.2s

#6 [2/4] RUN ls -al /
#6 0.380 total 52
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 .
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 ..
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 bin -> usr/bin
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 boot
#6 0.380 drwxr-xr-x   5 root root  340 Jun 12 14:31 dev
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 etc
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 home
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib -> usr/lib
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib64 -> usr/lib
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 mnt
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 opt
#6 0.380 dr-xr-xr-x 494 root root    0 Jun 12 14:31 proc
#6 0.380 drwxr-x---   2 root root 4096 Apr  7 18:02 root
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 run
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 sbin -> usr/bin
#6 0.380 drwxr-xr-x   4 root root 4096 Jun  9 03:31 srv
#6 0.380 dr-xr-xr-x  11 root root    0 Jun  6 10:00 sys
#6 0.380 drwxrwxrwt   2 root root 4096 Apr  7 18:02 tmp
#6 0.380 drwxr-xr-x   8 root root 4096 Jun  9 03:31 usr
#6 0.380 drwxr-xr-x  12 root root 4096 Jun  9 03:31 var
#6 DONE 0.4s

#7 [3/4] COPY rootfs/ /
#7 DONE 0.1s

#8 [4/4] RUN ls -al /
#8 0.428 total 56
#8 0.428 drwxr-xr-x   1 root root 4096 Jun 12 14:31 .
#8 0.428 drwxr-xr-x   1 root root 4096 Jun 12 14:31 ..
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 bin -> usr/bin
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 boot
#8 0.428 drwxr-xr-x   5 root root  340 Jun 12 14:31 dev
#8 0.428 drwxrwxrwx   1 root root 4096 Jun 12 14:31 etc
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 home
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib -> usr/lib
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib64 -> usr/lib
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 mnt
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 opt
#8 0.428 dr-xr-xr-x 496 root root    0 Jun 12 14:31 proc
#8 0.428 drwxr-x---   2 root root 4096 Apr  7 18:02 root
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 run
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 sbin -> usr/bin
#8 0.428 drwxr-xr-x   4 root root 4096 Jun  9 03:31 srv
#8 0.428 dr-xr-xr-x  11 root root    0 Jun  6 10:00 sys
#8 0.428 drwxrwxrwt   2 root root 4096 Apr  7 18:02 tmp
#8 0.428 drwxrwxrwx   1 root root 4096 Jun 12 14:27 usr
#8 0.428 drwxr-xr-x  12 root root 4096 Jun  9 03:31 var
#8 DONE 0.5s
...

Related issue is here: moby/buildkit#3602

[D3vil0p3r]

@crazy-max thanks for the answer. The strange fact is that the mentioned open issue was opened 1 year ago, but I experienced this issue only in the last month... And if I manually build the image, it works correctly. If I use the mentioned GH actions no...

Indeed the latest pushed image in docker hub of Athena OS was built locally and you can see that the permissions are set correctly.

[crazy-max]

@D3vil0p3r This seems link to a regression since BuildKit 0.13: moby/buildkit#5066

Can you try with:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: image=moby/buildkit:v0.12.5

[D3vil0p3r]

Hey @crazy-max by using your workaround, the permissions are set now correctly. Thank you.

I guess that buildkit must fix the issue.

[polarathene]

UPDATE: Below can be ignored. The bug was specific to git context, which was not obvious to me 😓

# NOTE: Due to git context `-f-` is required to use a local Dockerfile for custom build via stdin:
docker buildx build -f- --builder bk-13 --progress plain --no-cache https://github.com/Athena-OS/athena-rdp-docker.git < Dockerfile.local

# Fixed:
docker buildx build -f- --builder bk-15 --progress plain --no-cache https://github.com/Athena-OS/athena-rdp-docker.git < Dockerfile.local

@D3vil0p3r you can update to use BuildKit 0.15.2 which should already be the default now with Github CI, so you can revert this. Issue can be closed as resolved 👍

---

Not reproducible with local build context

This looks related to BuildKit, not the GitHub action. Building your project with this Dockerfile locally gives the same behavior:

FROM athenaos/base:latest
RUN ls -al /
COPY rootfs/ /
RUN ls -al /

I cannot seem to reproduce with any of the following buildx builder drivers:

NAME	DRIVER	BUILDKIT
bk-12	docker-container	v0.12.5
bk-13	docker-container	v0.13.2
bk-15	docker-container	v0.15.2
default	docker	v0.13.2

What I did notice was that whatever permissions I had for the directory or files was copied over. And git checkout would apply a umask if any on the host (unrelated to the docker build), which could result in the files for COPY to be 777?

For the reproduction attempt I cloned athena-rdp-docker locally (to /tmp) and ran chmod -R 737 rootfs && chown -R 200:200 rootfs, and changed to the minimal Dockerfile in the quote above. Then used each --builder arg above.

Ownership of /etc and any files were copied into the container as root:root as expected, while permissions for each builder preserved the 737 value assigned, if umask 022 was relevant to BuildKit 0.13.2 the permissions should have become 715.

---

Workflow run URL

https://github.com/Athena-OS/athena-rdp-docker/blob/main/.github/workflows/docker-publish.yml

At the time of the report the workflow was running with (BuildKit 0.13.2 was used in this CI run):

Client: Docker Engine - Community
   Version:           24.0.9
   API version:       1.43
   Go version:        go1.20.13
   Git commit:        2936816
   Built:             Thu Feb  1 00:48:39 2024
   OS/Arch:           linux/amd64

   containerd:
    Version:          1.6.32

   runc:
    Version:          1.1.12

   Plugins:
    buildx: Docker Buildx (Docker Inc.)
      Version:  v0.14.1

   Kernel Version: 6.5.0-1021-azure
   Operating System: Ubuntu 22.04.4 LTS

By the time the June 23rd comment about BuildKit 0.12.5 working as a solution, this was the CI environment:

Client: Docker Engine - Community
   Version:           26.1.3
   API version:       1.45
   Go version:        go1.21.10
   Git commit:        b72abbb
   Built:             Thu May 16
   OS/Arch:           linux/amd64
   Context:           default

   containerd:
    Version:          1.6.33

   runc:
    Version:          1.1.12

   Plugins:
    buildx: Docker Buildx (Docker Inc.)
      Version:  v0.15.0

   Kernel Version: 6.5.0-1022-azure
   Operating System: Ubuntu 22.04.4 LTS

I am running on similar version of Docker (26.1.1) myself, but have the older buildx:

Client:
 Version:    26.1.1

 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.14.0-desktop.1

 containerd version: e377cd56a71523140ca6ae87e30244719194a521
 runc version: v1.1.12-0-g51d5e94

 Kernel Version: 5.15.123.1-microsoft-standard-WSL2
 Operating System: Docker Desktop

I'm more inclined that the change may have been due to Docker Engine v24 vs v26? Unless something else differs between environments 🤷‍♂️ (Yep, it was local vs git context)