Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

can't trace symbolic link layer.tar (rare case) #58

Open
tomoyamachi opened this issue Nov 2, 2019 · 0 comments
Open

can't trace symbolic link layer.tar (rare case) #58

tomoyamachi opened this issue Nov 2, 2019 · 0 comments
Labels
bug Something isn't working

Comments

@tomoyamachi
Copy link
Collaborator

tomoyamachi commented Nov 2, 2019
edited

Description

COPY sample.txt /app/sample.txt
RUN chmod u+s /app/sample.txt
RUN chmod u-s /app/sample.txt

This sample.txt is not suid file, but Dockle sometimes detect to suid file.
※ Docker version 19.03.3, build a872fc2

This cause of symbolic linked layer.tar file.

├── 99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52
│   ├── VERSION
│   ├── json
│   └── layer.tar #=> extract /app/sample.txt
├── 9e54adcf82bab951408ca086571b79a04f34afe2e5984f16a36147c3bd2bdff5
│   ├── VERSION
│   ├── json
│   └── layer.tar
├── cc9cb9922a613543e7600f4ad3101855d2dd2f04043e46dbf2824adb9aff886b
│   ├── VERSION
│   └── layer.tar -> ../99dd0e6c897c668eaff4c7db78af46f0222de6002d826850b7ccf7647c734b52/layer.tar

I can't reproduce simplified image.

symbolic linked Dockerfile

This Dockerfile create symbolic linked layer.tar.

FROM debian:jessie-slim
RUN apt-get update && apt-get install -y git
RUN useradd nopasswd -p ""
RUN chmod u+s /etc/shadow
RUN chmod g+s /etc/passwd
ADD credentials.json /app/credentials.json
COPY suid.txt /app/suid.txt
RUN chmod u+s /app/suid.txt
COPY guid.txt /app/guid.txt
RUN chmod g+s /app/guid.txt
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt

simplified PoC Dockerfile

This Dockerfile does not create symbolic linked layer.tar.

FROM debian:jessie-slim
COPY once-suid.txt /app/once-suid.txt
RUN chmod u+s /app/once-suid.txt
RUN chmod u-s /app/once-suid.txt

What happened instead?

Always not detect suid file.
@tomoyamachi tomoyamachi added the bug Something isn't working label Nov 2, 2019
@tomoyamachi tomoyamachi mentioned this issue Nov 3, 2019
Merged
@tomoyamachi tomoyamachi added duplicate This issue or pull request already exists bug Something isn't working and removed bug Something isn't working duplicate This issue or pull request already exists labels Sep 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tomoyamachi