-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set UID and GID of untared files to zero if user is root #1837
Conversation
export const ROOT_USER = isRootUser(process.platform, getUid()); | ||
|
||
export function isRootUser(platform: string, uid: ?number): boolean { | ||
return platform !== 'win32' && uid === 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do you need a second check for platform !== 'win32'
here?
Would not null return false anyway?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will remove the extraneous check.
Looks more elegant than cmodding all files after they are extracted. |
* Set UID and GID of untared files to zero if user is root * Remove second platform check
ah cool, going to run this on CircleCI on Monday as a number of users experience this issue. |
* Set UID and GID of untared files to zero if user is root * Remove second platform check
Tried this on CircleCI and it works! (Thanks to @Daniel15) I hope this lands on stable soon. |
Summary
Fixes #1750
TarballFetcher
usestar
to untar tarballs.tar
in turn constructs aWriter
object per entry in the tarball, preserving the original UID and GID in the tarball.If
Writer
detects that the UID of the user is 0 (i.e. root user), it will attempt tochown
the extracted file to the UID.Usually, this is not a problem. However, as in #1750 and other issues, if the
root
user is not really root but inside a user namespace, and the UID is outside thesubuid
range of the mapped user, then it will fail. This is the same issue for GID.This PR attempts to just set everything to UID 0 if the user is detected as root, regardless of whether the root is inside a namespace or not.
Test plan
First, configure Docker Daemon with user namespace enabled.
Consider the
Dockerfile
,package.json
, andyarn.lock
from this gist.With this patch, the build will be successful.