fix(privilege): keep the root group when dropping to an unprivileged workload#17
Draft
jansav wants to merge 1 commit into
Draft
fix(privilege): keep the root group when dropping to an unprivileged workload#17jansav wants to merge 1 commit into
jansav wants to merge 1 commit into
Conversation
…workload Both privilege-drop paths cleared all supplementary groups before setgid/setuid (setgroups(&[])), so a workload dropped to an arbitrary non-root uid had no group-0 membership. Images built for the "run as an arbitrary non-root uid that belongs to the root group" model (bitnami, OpenShift) own their writable dirs root:0 with group-write and expect the process to be in group 0 — so they fail to write (e.g. bitnami's /opt/bitnami tree: mkdir .../bitnami/certs -> Permission denied). Keep the root group (gid 0) as the dropped workload's sole supplementary group in both the piped path (privilege::apply) and the PTY path (pty::spawn_pty), sharing a ROOT_GID const so the two can't drift.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Both privilege-drop paths cleared all supplementary groups before
setgid/setuid(setgroups(&[])), so a workload dropped to an arbitrary non-root uid had no group-0 membership.Images built for the "run as an arbitrary non-root uid that belongs to the root group (gid 0)" model (bitnami, OpenShift) own their writable dirs
root:0with group-write and expect the process to be in group 0. Without it they can't write — e.g. bitnami/wordpress as uid 1001:Change
Keep the root group (gid 0) as the dropped workload's sole supplementary group:
setgroups(&[Gid::from_raw(ROOT_GID)])in both drop paths —privilege::apply(piped) andpty::spawn_pty(PTY) — sharing aROOT_GIDconst so the two can't drift. The supervisor's own supplementary groups are still dropped (only gid 0 is kept), preserving fail-closed behavior otherwise.Note for reviewers
There are two independent drop paths and interactive (
-i -t) runs use the PTY path — easy to fix one and miss the other. Verified both end-to-end:Tests: 447 pass, clippy clean.
Downstream
Consumed by
lens-sandbox(lns) via the pinnedlens-sandbox-corerev; a follow-up there bumps the rev once this lands. Surfaced while validating a real multi-tier OCI workload (bitnami/wordpress).Closes #15.