docker export is missing ownership information; chown does not work
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
docker.io-app (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[ Impact ]
Tar archive created by docker export command is missing ownership information (all files are owned by root). If this archive is then used to recreate filesystem for unprivileged processes (like via docker import or just unpacking it and chrooting), they can fail with permission denied error or in some other way.
This bug happens when package is built with Go older than 1.19: this version of Go introduced build tag unix that is used by upstream to determine if it should add UNIX-specific attributes into archive. Older Go versions silently ignore this source code, and the result is missing UIDs and GIDs in tar archives. As Go 1.20 was backported to affected releases, patches attached use this version to fix the bug.
[ Test Plan ]
Run next commands (under user with docker group or under root):
docker run --name lp_2029523 ubuntu:20.04 ls -l /etc/shadow
docker export lp_2029523 | tar tv etc/shadow
First command will show that file is owned by root:shadow, while second will show that it is owned by UID/GID 0/0. Here you can downgrade or apply the fix to see that second command starts to show UID/GID 0/42 that is correct.
[ Where problems could occur ]
Upstream builds this Docker version with Go 1.19. While Go is usually pretty good at maintaining backward compatibility, there were some subtle changes in Go 1.20, like handling of TLS handshake failure and some other error handling. So there could be changes in behavior when error arrises.
[ Other Info ]
Bug introduced in 20.10.25-
The issue is caused by this change https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: docker.io 20.10.25-
ProcVersionSign
Uname: Linux 5.15.0-72-generic x86_64
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
Date: Thu Aug 3 20:27:42 2023
InstallationDate: Installed on 2023-05-19 (76 days ago)
InstallationMedia: Ubuntu 20.04.6 LTS "Focal Fossa" - Release amd64 (20230316)
SourcePackage: docker.io-app
UpgradeStatus: No upgrade log present (probably fresh install)
no longer affects: | docker.io-app (Ubuntu Mantic) |
no longer affects: | docker.io-app (Ubuntu Lunar) |
tags: | added: regression-update |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in docker.io-app (Ubuntu): | |
status: | New → In Progress |
Changed in docker.io-app (Ubuntu Focal): | |
status: | New → In Progress |
Changed in docker.io-app (Ubuntu Jammy): | |
status: | New → In Progress |
tags: |
added: verification-done verification-done-focal removed: verification-needed verification-needed-focal |
Changed in docker.io-app (Ubuntu): | |
status: | In Progress → Fix Committed |
summary: |
- docker export is missing ownership information + docker export is missing ownership information; chmod does not work |
summary: |
- docker export is missing ownership information; chmod does not work + docker export is missing ownership information; chown does not work |
This is a debdiff with suggested unix build tag patch applicable to 20.10.25- 0ubuntu1~ 20.04.1. I built this in pbuilder and it builds successfully, and I installed it, the patch works as intended.