Merge pull request #308 from natefoo/fix-unpriv-unlink

Fix operations on read-only files when running unprivileged.
2025-08-03 18:05:58 -04:00 · 2021-07-08 16:16:25 +02:00 · 2021-07-08 16:16:25 +02:00 · 181973f531
commit 181973f531
parent 58a016d03c 6819869a8f
4 changed files with 39 additions and 0 deletions
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@ -89,6 +89,7 @@ jobs:
                sudo tests/unlink.sh
                sudo tests/alpine.sh
                sudo sh -c "(cd /root/go/src/github.com/containers/storage/tests; JOBS=1 STORAGE_OPTION=overlay.mount_program=/sbin/fuse-overlayfs STORAGE_DRIVER=overlay unshare -m ./test_runner.bash)"
+                tests/unpriv.sh
            ;;
            no-ovl-whiteouts)
                sudo sh -c "(cd /unionmount-testsuite; FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 unshare -m ./run --ov --fuse=fuse-overlayfs --xdev)"
@ -96,5 +97,6 @@ jobs:
                sudo FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/unlink.sh
                sudo FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/alpine.sh
                sudo sh -c "(cd /root/go/src/github.com/containers/storage/tests; JOBS=1 FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 STORAGE_OPTION=overlay.mount_program=/sbin/fuse-overlayfs STORAGE_DRIVER=overlay unshare -m ./test_runner.bash)"
+                FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT=1 tests/unpriv.sh
            ;;
        esac
--- a/fuse-overlayfs.h
+++ b/fuse-overlayfs.h
@ -105,6 +105,9 @@ struct ovl_data
  uid_t uid;
  uid_t gid;

+  /* process euid. */
+  uid_t euid;
+
  struct ovl_plugin_context *plugins_ctx;
 };

--- a/main.c
+++ b/main.c
@ -2972,6 +2972,8 @@ copyup (struct ovl_data *lo, struct ovl_node *node)
  mode = st.st_mode;
  if (lo->xattr_permissions)
    mode |= 0755;
+  if (lo->euid > 0)
+    mode |= 0200;

  if ((mode & S_IFMT) == S_IFDIR)
    {
@ -5510,6 +5512,7 @@ main (int argc, char *argv[])
                        .squash_to_gid = -1,
                        .static_nlink = 0,
                        .xattr_permissions = 0,
+                        .euid = geteuid (),
                        .timeout = 1000000000.0,
                        .timeout_str = NULL,
                        .writeback = 1,
--- a/tests/unpriv.sh
+++ b/tests/unpriv.sh
@ -0,0 +1,31 @@
+#!/bin/sh
+
+set -ex
+
+test $(id -u) -gt 0
+
+rm -rf unpriv-test
+mkdir unpriv-test
+
+cd unpriv-test
+
+mkdir lower upper workdir merged
+
+touch lower/a lower/b
+chmod 444 lower/a lower/b
+
+fuse-overlayfs -o lowerdir=lower,upperdir=upper,workdir=workdir merged
+
+rm -f merged/a
+chmod 406 merged/b
+
+test \! -e merged/a
+test $(stat --printf=%a merged/b) -eq 406
+test $(stat --printf=%a upper/b) -eq 406
+if [ ${FUSE_OVERLAYFS_DISABLE_OVL_WHITEOUT:-0} -eq 1 ]; then
+    test -e upper/.wh.a
+else
+    test -c upper/a
+fi
+
+fusermount -u merged || [ $? -eq "${EXPECT_UMOUNT_STATUS:-0}" ]