1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
//go:build !windows
// +build !windows
package main
import (
"fmt"
"os"
"os/exec"
"path/filepath"
"strconv"
"strings"
"syscall"
"testing"
"gotest.tools/v3/assert"
)
func (s *DockerCLICpSuite) TestCpToContainerWithPermissions(c *testing.T) {
testRequires(c, testEnv.IsLocalDaemon, DaemonIsLinux)
tmpDir := getTestDir(c, "test-cp-to-host-with-permissions")
defer os.RemoveAll(tmpDir)
makeTestContentInDir(c, tmpDir)
containerName := "permtest"
_, exc := dockerCmd(c, "create", "--name", containerName, "busybox", "/bin/sh", "-c", "stat -c '%u %g %a' /permdirtest /permdirtest/permtest")
assert.Equal(c, exc, 0)
defer dockerCmd(c, "rm", "-f", containerName)
srcPath := cpPath(tmpDir, "permdirtest")
dstPath := containerCpPath(containerName, "/")
args := []string{"cp", "-a", srcPath, dstPath}
out, _, err := runCommandWithOutput(exec.Command(dockerBinary, args...))
assert.NilError(c, err, "output: %v", out)
out, err = startContainerGetOutput(c, containerName)
assert.NilError(c, err, "output: %v", out)
assert.Equal(c, strings.TrimSpace(out), "2 2 700\n65534 65534 400", "output: %v", out)
}
// Check ownership is root, both in non-userns and userns enabled modes
func (s *DockerCLICpSuite) TestCpCheckDestOwnership(c *testing.T) {
testRequires(c, DaemonIsLinux, testEnv.IsLocalDaemon)
tmpVolDir := getTestDir(c, "test-cp-tmpvol")
containerID := makeTestContainer(c,
testContainerOptions{volumes: []string{fmt.Sprintf("%s:/tmpvol", tmpVolDir)}})
tmpDir := getTestDir(c, "test-cp-to-check-ownership")
defer os.RemoveAll(tmpDir)
makeTestContentInDir(c, tmpDir)
srcPath := cpPath(tmpDir, "file1")
dstPath := containerCpPath(containerID, "/tmpvol", "file1")
assert.NilError(c, runDockerCp(c, srcPath, dstPath))
stat, err := os.Stat(filepath.Join(tmpVolDir, "file1"))
assert.NilError(c, err)
uid, gid, err := getRootUIDGID()
assert.NilError(c, err)
fi := stat.Sys().(*syscall.Stat_t)
assert.Equal(c, fi.Uid, uint32(uid), "Copied file not owned by container root UID")
assert.Equal(c, fi.Gid, uint32(gid), "Copied file not owned by container root GID")
}
func getRootUIDGID() (int, int, error) {
uidgid := strings.Split(filepath.Base(testEnv.DaemonInfo.DockerRootDir), ".")
if len(uidgid) == 1 {
// user namespace remapping is not turned on; return 0
return 0, 0, nil
}
uid, err := strconv.Atoi(uidgid[0])
if err != nil {
return 0, 0, err
}
gid, err := strconv.Atoi(uidgid[1])
if err != nil {
return 0, 0, err
}
return uid, gid, nil
}
|
