// currentUserIsOwner checks whether the current user is the owner of the given
// file.
func currentUserIsOwner(f string) bool {
if fileInfo, err := system.Stat(f); err == nil && fileInfo != nil {
if int(fileInfo.UID()) == os.Getuid() {
return true
}
}
return false
}
// IsFileOwner checks whether the current user is the owner of the given file.
func IsFileOwner(f string) bool {
if fileInfo, err := system.Stat(f); err == nil && fileInfo != nil {
if int(fileInfo.Uid()) == os.Getuid() {
return true
}
}
return false
}
// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
// if that uid, gid pair has access (execute bit) to the directory
func CanAccess(path string, uid, gid int) bool {
statInfo, err := system.Stat(path)
if err != nil {
return false
}
fileMode := os.FileMode(statInfo.Mode())
permBits := fileMode.Perm()
return accessible(statInfo.UID() == uint32(uid),
statInfo.GID() == uint32(gid), permBits)
}
// copyOwnership copies the permissions and uid:gid of the source file
// into the destination file
func copyOwnership(source, destination string) error {
stat, err := system.Stat(source)
if err != nil {
return err
}
if err := os.Chown(destination, int(stat.Uid()), int(stat.Gid())); err != nil {
return err
}
return os.Chmod(destination, os.FileMode(stat.Mode()))
}
// user namespaces test: run daemon with remapped root setting
// 1. validate uid/gid maps are set properly
// 2. verify that files created are owned by remapped root
func (s *DockerDaemonSuite) TestDaemonUserNamespaceRootSetting(c *check.C) {
testRequires(c, DaemonIsLinux, SameHostDaemon, UserNamespaceInKernel)
c.Assert(s.d.StartWithBusybox("--userns-remap", "default"), checker.IsNil)
tmpDir, err := ioutil.TempDir("", "userns")
c.Assert(err, checker.IsNil)
defer os.RemoveAll(tmpDir)
// we need to find the uid and gid of the remapped root from the daemon's root dir info
uidgid := strings.Split(filepath.Base(s.d.root), ".")
c.Assert(uidgid, checker.HasLen, 2, check.Commentf("Should have gotten uid/gid strings from root dirname: %s", filepath.Base(s.d.root)))
uid, err := strconv.Atoi(uidgid[0])
c.Assert(err, checker.IsNil, check.Commentf("Can't parse uid"))
gid, err := strconv.Atoi(uidgid[1])
c.Assert(err, checker.IsNil, check.Commentf("Can't parse gid"))
// writable by the remapped root UID/GID pair
c.Assert(os.Chown(tmpDir, uid, gid), checker.IsNil)
out, err := s.d.Cmd("run", "-d", "--name", "userns", "-v", tmpDir+":/goofy", "busybox", "sh", "-c", "touch /goofy/testfile; top")
c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
user := s.findUser(c, "userns")
c.Assert(uidgid[0], checker.Equals, user)
pid, err := s.d.Cmd("inspect", "--format='{{.State.Pid}}'", "userns")
c.Assert(err, checker.IsNil, check.Commentf("Could not inspect running container: out: %q", pid))
// check the uid and gid maps for the PID to ensure root is remapped
// (cmd = cat /proc/<pid>/uid_map | grep -E '0\s+9999\s+1')
out, rc1, err := runCommandPipelineWithOutput(
exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/uid_map"),
exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", uid)))
c.Assert(rc1, checker.Equals, 0, check.Commentf("Didn't match uid_map: output: %s", out))
out, rc2, err := runCommandPipelineWithOutput(
exec.Command("cat", "/proc/"+strings.TrimSpace(pid)+"/gid_map"),
exec.Command("grep", "-E", fmt.Sprintf("0[[:space:]]+%d[[:space:]]+", gid)))
c.Assert(rc2, checker.Equals, 0, check.Commentf("Didn't match gid_map: output: %s", out))
// check that the touched file is owned by remapped uid:gid
stat, err := system.Stat(filepath.Join(tmpDir, "testfile"))
c.Assert(err, checker.IsNil)
c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Touched file not owned by remapped root UID"))
c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Touched file not owned by remapped root GID"))
// use host usernamespace
out, err = s.d.Cmd("run", "-d", "--name", "userns_skip", "--userns", "host", "busybox", "sh", "-c", "touch /goofy/testfile; top")
c.Assert(err, checker.IsNil, check.Commentf("Output: %s", out))
user = s.findUser(c, "userns_skip")
// userns are skipped, user is root
c.Assert(user, checker.Equals, "root")
}
// Check ownership is root, both in non-userns and userns enabled modes
func (s *DockerSuite) TestCpCheckDestOwnership(c *check.C) {
testRequires(c, DaemonIsLinux, SameHostDaemon)
tmpVolDir := getTestDir(c, "test-cp-tmpvol")
containerID := makeTestContainer(c,
testContainerOptions{volumes: []string{fmt.Sprintf("%s:/tmpvol", tmpVolDir)}})
tmpDir := getTestDir(c, "test-cp-to-check-ownership")
defer os.RemoveAll(tmpDir)
makeTestContentInDir(c, tmpDir)
srcPath := cpPath(tmpDir, "file1")
dstPath := containerCpPath(containerID, "/tmpvol", "file1")
err := runDockerCp(c, srcPath, dstPath)
c.Assert(err, checker.IsNil)
stat, err := system.Stat(filepath.Join(tmpVolDir, "file1"))
c.Assert(err, checker.IsNil)
uid, gid, err := getRootUIDGID()
c.Assert(err, checker.IsNil)
c.Assert(stat.UID(), checker.Equals, uint32(uid), check.Commentf("Copied file not owned by container root UID"))
c.Assert(stat.GID(), checker.Equals, uint32(gid), check.Commentf("Copied file not owned by container root GID"))
}