2015-10-14 14:35:48 -04:00
|
|
|
// +build !windows
|
|
|
|
|
2018-02-05 16:05:59 -05:00
|
|
|
package idtools // import "github.com/docker/docker/pkg/idtools"
|
2015-10-14 14:35:48 -04:00
|
|
|
|
|
|
|
import (
|
2016-10-20 15:43:42 -04:00
|
|
|
"bytes"
|
|
|
|
"fmt"
|
|
|
|
"io"
|
2015-10-14 14:35:48 -04:00
|
|
|
"os"
|
|
|
|
"path/filepath"
|
2020-05-24 09:29:06 -04:00
|
|
|
"strconv"
|
2016-10-20 15:43:42 -04:00
|
|
|
"strings"
|
|
|
|
"sync"
|
2017-11-27 16:11:11 -05:00
|
|
|
"syscall"
|
2015-10-14 14:35:48 -04:00
|
|
|
|
|
|
|
"github.com/docker/docker/pkg/system"
|
2016-10-20 15:43:42 -04:00
|
|
|
"github.com/opencontainers/runc/libcontainer/user"
|
2020-05-24 09:29:06 -04:00
|
|
|
"github.com/pkg/errors"
|
2016-10-20 15:43:42 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
entOnce sync.Once
|
|
|
|
getentCmd string
|
2015-10-14 14:35:48 -04:00
|
|
|
)
|
|
|
|
|
2017-11-16 01:20:33 -05:00
|
|
|
func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
|
2015-10-14 14:35:48 -04:00
|
|
|
// make an array containing the original path asked for, plus (for mkAll == true)
|
|
|
|
// all path components leading up to the complete path that don't exist before we MkdirAll
|
|
|
|
// so that we can chown all of them properly at the end. If chownExisting is false, we won't
|
|
|
|
// chown the full directory path if it exists
|
2017-11-16 01:20:33 -05:00
|
|
|
|
2015-10-14 14:35:48 -04:00
|
|
|
var paths []string
|
2017-10-02 09:47:09 -04:00
|
|
|
|
|
|
|
stat, err := system.Stat(path)
|
|
|
|
if err == nil {
|
2017-11-27 16:11:11 -05:00
|
|
|
if !stat.IsDir() {
|
Simplify/fix MkdirAll usage
This subtle bug keeps lurking in because error checking for `Mkdir()`
and `MkdirAll()` is slightly different wrt to `EEXIST`/`IsExist`:
- for `Mkdir()`, `IsExist` error should (usually) be ignored
(unless you want to make sure directory was not there before)
as it means "the destination directory was already there"
- for `MkdirAll()`, `IsExist` error should NEVER be ignored.
Mostly, this commit just removes ignoring the IsExist error, as it
should not be ignored.
Also, there are a couple of cases then IsExist is handled as
"directory already exist" which is wrong. As a result, some code
that never worked as intended is now removed.
NOTE that `idtools.MkdirAndChown()` behaves like `os.MkdirAll()`
rather than `os.Mkdir()` -- so its description is amended accordingly,
and its usage is handled as such (i.e. IsExist error is not ignored).
For more details, a quote from my runc commit 6f82d4b (July 2015):
TL;DR: check for IsExist(err) after a failed MkdirAll() is both
redundant and wrong -- so two reasons to remove it.
Quoting MkdirAll documentation:
> MkdirAll creates a directory named path, along with any necessary
> parents, and returns nil, or else returns an error. If path
> is already a directory, MkdirAll does nothing and returns nil.
This means two things:
1. If a directory to be created already exists, no error is
returned.
2. If the error returned is IsExist (EEXIST), it means there exists
a non-directory with the same name as MkdirAll need to use for
directory. Example: we want to MkdirAll("a/b"), but file "a"
(or "a/b") already exists, so MkdirAll fails.
The above is a theory, based on quoted documentation and my UNIX
knowledge.
3. In practice, though, current MkdirAll implementation [1] returns
ENOTDIR in most of cases described in #2, with the exception when
there is a race between MkdirAll and someone else creating the
last component of MkdirAll argument as a file. In this very case
MkdirAll() will indeed return EEXIST.
Because of #1, IsExist check after MkdirAll is not needed.
Because of #2 and #3, ignoring IsExist error is just plain wrong,
as directory we require is not created. It's cleaner to report
the error now.
Note this error is all over the tree, I guess due to copy-paste,
or trying to follow the same usage pattern as for Mkdir(),
or some not quite correct examples on the Internet.
[1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-09-25 15:39:36 -04:00
|
|
|
return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
|
2017-11-27 16:11:11 -05:00
|
|
|
}
|
2017-10-02 09:47:09 -04:00
|
|
|
if !chownExisting {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-10-14 14:35:48 -04:00
|
|
|
// short-circuit--we were called with an existing directory and chown was requested
|
2017-11-16 01:20:33 -05:00
|
|
|
return lazyChown(path, owner.UID, owner.GID, stat)
|
2017-10-02 09:47:09 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
paths = []string{path}
|
2015-10-14 14:35:48 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
if mkAll {
|
|
|
|
// walk back to "/" looking for directories which do not exist
|
|
|
|
// and add them to the paths array for chown after creation
|
|
|
|
dirPath := path
|
|
|
|
for {
|
|
|
|
dirPath = filepath.Dir(dirPath)
|
|
|
|
if dirPath == "/" {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
if _, err := os.Stat(dirPath); err != nil && os.IsNotExist(err) {
|
|
|
|
paths = append(paths, dirPath)
|
|
|
|
}
|
|
|
|
}
|
2019-08-08 05:51:00 -04:00
|
|
|
if err := system.MkdirAll(path, mode); err != nil {
|
2015-10-14 14:35:48 -04:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if err := os.Mkdir(path, mode); err != nil && !os.IsExist(err) {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// even if it existed, we will chown the requested path + any subpaths that
|
|
|
|
// didn't exist when we called MkdirAll
|
|
|
|
for _, pathComponent := range paths {
|
2017-11-16 01:20:33 -05:00
|
|
|
if err := lazyChown(pathComponent, owner.UID, owner.GID, nil); err != nil {
|
2015-10-14 14:35:48 -04:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
2016-08-23 12:49:13 -04:00
|
|
|
|
|
|
|
// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
|
|
|
|
// if that uid, gid pair has access (execute bit) to the directory
|
2017-11-16 01:20:33 -05:00
|
|
|
func CanAccess(path string, pair Identity) bool {
|
2016-08-23 12:49:13 -04:00
|
|
|
statInfo, err := system.Stat(path)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
fileMode := os.FileMode(statInfo.Mode())
|
|
|
|
permBits := fileMode.Perm()
|
2017-05-19 18:06:46 -04:00
|
|
|
return accessible(statInfo.UID() == uint32(pair.UID),
|
|
|
|
statInfo.GID() == uint32(pair.GID), permBits)
|
2016-08-23 12:49:13 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
func accessible(isOwner, isGroup bool, perms os.FileMode) bool {
|
|
|
|
if isOwner && (perms&0100 == 0100) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if isGroup && (perms&0010 == 0010) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
if perms&0001 == 0001 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
2016-10-20 15:43:42 -04:00
|
|
|
|
|
|
|
// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
|
|
|
|
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
|
|
|
|
func LookupUser(username string) (user.User, error) {
|
|
|
|
// first try a local system files lookup using existing capabilities
|
|
|
|
usr, err := user.LookupUser(username)
|
|
|
|
if err == nil {
|
|
|
|
return usr, nil
|
|
|
|
}
|
|
|
|
// local files lookup failed; attempt to call `getent` to query configured passwd dbs
|
|
|
|
usr, err = getentUser(fmt.Sprintf("%s %s", "passwd", username))
|
|
|
|
if err != nil {
|
|
|
|
return user.User{}, err
|
|
|
|
}
|
|
|
|
return usr, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
|
|
|
|
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
|
|
|
|
func LookupUID(uid int) (user.User, error) {
|
|
|
|
// first try a local system files lookup using existing capabilities
|
|
|
|
usr, err := user.LookupUid(uid)
|
|
|
|
if err == nil {
|
|
|
|
return usr, nil
|
|
|
|
}
|
|
|
|
// local files lookup failed; attempt to call `getent` to query configured passwd dbs
|
|
|
|
return getentUser(fmt.Sprintf("%s %d", "passwd", uid))
|
|
|
|
}
|
|
|
|
|
|
|
|
func getentUser(args string) (user.User, error) {
|
|
|
|
reader, err := callGetent(args)
|
|
|
|
if err != nil {
|
|
|
|
return user.User{}, err
|
|
|
|
}
|
|
|
|
users, err := user.ParsePasswd(reader)
|
|
|
|
if err != nil {
|
|
|
|
return user.User{}, err
|
|
|
|
}
|
|
|
|
if len(users) == 0 {
|
|
|
|
return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", strings.Split(args, " ")[1])
|
|
|
|
}
|
|
|
|
return users[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
|
|
|
|
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
|
|
|
|
func LookupGroup(groupname string) (user.Group, error) {
|
|
|
|
// first try a local system files lookup using existing capabilities
|
|
|
|
group, err := user.LookupGroup(groupname)
|
|
|
|
if err == nil {
|
|
|
|
return group, nil
|
|
|
|
}
|
|
|
|
// local files lookup failed; attempt to call `getent` to query configured group dbs
|
|
|
|
return getentGroup(fmt.Sprintf("%s %s", "group", groupname))
|
|
|
|
}
|
|
|
|
|
|
|
|
// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
|
|
|
|
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
|
|
|
|
func LookupGID(gid int) (user.Group, error) {
|
|
|
|
// first try a local system files lookup using existing capabilities
|
|
|
|
group, err := user.LookupGid(gid)
|
|
|
|
if err == nil {
|
|
|
|
return group, nil
|
|
|
|
}
|
|
|
|
// local files lookup failed; attempt to call `getent` to query configured group dbs
|
|
|
|
return getentGroup(fmt.Sprintf("%s %d", "group", gid))
|
|
|
|
}
|
|
|
|
|
|
|
|
func getentGroup(args string) (user.Group, error) {
|
|
|
|
reader, err := callGetent(args)
|
|
|
|
if err != nil {
|
|
|
|
return user.Group{}, err
|
|
|
|
}
|
|
|
|
groups, err := user.ParseGroup(reader)
|
|
|
|
if err != nil {
|
|
|
|
return user.Group{}, err
|
|
|
|
}
|
|
|
|
if len(groups) == 0 {
|
|
|
|
return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", strings.Split(args, " ")[1])
|
|
|
|
}
|
|
|
|
return groups[0], nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func callGetent(args string) (io.Reader, error) {
|
|
|
|
entOnce.Do(func() { getentCmd, _ = resolveBinary("getent") })
|
|
|
|
// if no `getent` command on host, can't do anything else
|
|
|
|
if getentCmd == "" {
|
|
|
|
return nil, fmt.Errorf("")
|
|
|
|
}
|
|
|
|
out, err := execCmd(getentCmd, args)
|
|
|
|
if err != nil {
|
2016-11-08 11:21:02 -05:00
|
|
|
exitCode, errC := system.GetExitCode(err)
|
2016-10-20 15:43:42 -04:00
|
|
|
if errC != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
switch exitCode {
|
|
|
|
case 1:
|
|
|
|
return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
|
|
|
|
case 2:
|
|
|
|
terms := strings.Split(args, " ")
|
|
|
|
return nil, fmt.Errorf("getent unable to find entry %q in %s database", terms[1], terms[0])
|
|
|
|
case 3:
|
|
|
|
return nil, fmt.Errorf("getent database doesn't support enumeration")
|
|
|
|
default:
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
return bytes.NewReader(out), nil
|
|
|
|
}
|
2017-10-02 09:47:09 -04:00
|
|
|
|
|
|
|
// lazyChown performs a chown only if the uid/gid don't match what's requested
|
|
|
|
// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
|
|
|
|
// dir is on an NFS share, so don't call chown unless we absolutely must.
|
|
|
|
func lazyChown(p string, uid, gid int, stat *system.StatT) error {
|
|
|
|
if stat == nil {
|
|
|
|
var err error
|
|
|
|
stat, err = system.Stat(p)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
return os.Chown(p, uid, gid)
|
|
|
|
}
|
2020-05-24 09:29:06 -04:00
|
|
|
|
|
|
|
// NewIdentityMapping takes a requested username and
|
|
|
|
// using the data from /etc/sub{uid,gid} ranges, creates the
|
|
|
|
// proper uid and gid remapping ranges for that user/group pair
|
|
|
|
func NewIdentityMapping(username string) (*IdentityMapping, error) {
|
|
|
|
usr, err := LookupUser(username)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("Could not get user for username %s: %v", username, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
uid := strconv.Itoa(usr.Uid)
|
|
|
|
|
|
|
|
subuidRangesWithUserName, err := parseSubuid(username)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
subgidRangesWithUserName, err := parseSubgid(username)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
subuidRangesWithUID, err := parseSubuid(uid)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
subgidRangesWithUID, err := parseSubgid(uid)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
subuidRanges := append(subuidRangesWithUserName, subuidRangesWithUID...)
|
|
|
|
subgidRanges := append(subgidRangesWithUserName, subgidRangesWithUID...)
|
|
|
|
|
|
|
|
if len(subuidRanges) == 0 {
|
|
|
|
return nil, errors.Errorf("no subuid ranges found for user %q", username)
|
|
|
|
}
|
|
|
|
if len(subgidRanges) == 0 {
|
|
|
|
return nil, errors.Errorf("no subgid ranges found for user %q", username)
|
|
|
|
}
|
|
|
|
|
|
|
|
return &IdentityMapping{
|
|
|
|
uids: createIDMap(subuidRanges),
|
|
|
|
gids: createIDMap(subgidRanges),
|
|
|
|
}, nil
|
|
|
|
}
|