Fix operations on read-only files when running unprivileged.

Fixes #307
containers · Jul 2, 2021 · 6819869 · 6819869
1 parent 58a016d
commit 6819869
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 0 deletions.
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -89,12 +89,14 @@ jobs:
                 sudo tests/unlink.sh
                 sudo tests/alpine.sh
                 sudo sh -c "(cd /root/go/src/github.com/containers/storage/tests; JOBS=1 STORAGE_OPTION=overlay.mount_program=/sbin/fuse-overlayfs STORAGE_DRIVER=overlay unshare -m ./test_runner.bash)"
+                tests/unpriv.sh
             ;;
             no-ovl-whiteouts)
                 sudo sh -c "(cd /unionmount-testsuite; FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 unshare -m ./run --ov --fuse=fuse-overlayfs --xdev)"
                 sudo FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/fedora-installs.sh
                 sudo FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/unlink.sh
                 sudo FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/alpine.sh
                 sudo sh -c "(cd /root/go/src/github.com/containers/storage/tests; JOBS=1 FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 STORAGE_OPTION=overlay.mount_program=/sbin/fuse-overlayfs STORAGE_DRIVER=overlay unshare -m ./test_runner.bash)"
+                FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/unpriv.sh
             ;;
         esac
diff --git a/fuse-overlayfs.h b/fuse-overlayfs.h
@@ -105,6 +105,9 @@ struct ovl_data
   uid_t uid;
   uid_t gid;
 
+  /* process euid. */
+  uid_t euid;
+
   struct ovl_plugin_context *plugins_ctx;
 };
 

diff --git a/main.c b/main.c
@@ -2972,6 +2972,8 @@ copyup (struct ovl_data *lo, struct ovl_node *node)
   mode = st.st_mode;
   if (lo->xattr_permissions)
     mode |= 0755;
+  if (lo->euid > 0)
+    mode |= 0200;
 
   if ((mode & S_IFMT) == S_IFDIR)
     {
@@ -5510,6 +5512,7 @@ main (int argc, char *argv[])
                         .squash_to_gid = -1,
                         .static_nlink = 0,
                         .xattr_permissions = 0,
+                        .euid = geteuid (),
                         .timeout = 1000000000.0,
                         .timeout_str = NULL,
                         .writeback = 1,

diff --git a/tests/unpriv.sh b/tests/unpriv.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+
+set -ex
+
+test $(id -u) -gt 0
+
+rm -rf unpriv-test
+mkdir unpriv-test
+
+cd unpriv-test
+
+mkdir lower upper workdir merged
+
+touch lower/a lower/b
+chmod 444 lower/a lower/b
+
+fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=workdir merged
+
+rm -f merged/a
+chmod 406 merged/b
+
+test \! -e merged/a
+test $(stat --printf=%a merged/b) -eq 406
+test $(stat --printf=%a upper/b) -eq 406
+if [ ${FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT:-0} -eq 1 ]; then
+    test -e upper/.wh.a
+else
+    test -c upper/a
+fi
+
+fusermount -u merged || [ $? -eq "${EXPECT_UMOUNT_STATUS:-0}" ]