libcontainer: skip chown of /dev/null caused by fd redirection

Dzejrou · kolyshkin · commit fa722c1d1786 · 2023-02-08T19:49:35.000-08:00
In 18c4760 (libct: fixStdioPermissions: skip chown if not needed) the check whether the STDIO file descriptors point to /dev/null was removed which can cause /dev/null to change ownership e.g. when using docker exec on a running container: $ ls -l /dev/null crw-rw-rw- 1 root root 1, 3 Aug 1 14:12 /dev/null $ docker exec -u test 0ad6d3064e9d ls $ ls -l /dev/null crw-rw-rw- 1 test root 1, 3 Aug 1 14:12 /dev/null Signed-off-by: Jaroslav Jindrak <dzejrou@gmail.com> (cherry picked from commit 7e5e017) Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error {
 			return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}
 		}
 
-		// Skip chown if uid is already the one we want.
-		if int(s.Uid) == u.Uid {
+		// Skip chown if uid is already the one we want or any of the STDIO descriptors
+		// were redirected to /dev/null.
+		if int(s.Uid) == u.Uid || s.Rdev == null.Rdev {
 			continue
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -411,8 +411,9 @@ func fixStdioPermissions(u *user.ExecUser) error {`
`411`	`411`	`return &os.PathError{Op: "fstat", Path: file.Name(), Err: err}`
`412`	`412`	`}`
`413`	`413`
`414`		`- // Skip chown if uid is already the one we want.`
`415`		`- if int(s.Uid) == u.Uid {`
	`414`	`+ // Skip chown if uid is already the one we want or any of the STDIO descriptors`
	`415`	`+ // were redirected to /dev/null.`
	`416`	`+ if int(s.Uid) == u.Uid \|\| s.Rdev == null.Rdev {`
`416`	`417`	`continue`
`417`	`418`	`}`
`418`	`419`