Erroneous set of rwx permissions on etc and usr directories

[D3vil0p3r]

Contributing guidelines

• [X] I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• [X] The documentation does not mention anything about my problem
• [X] There are no open or closed issues that are related to my problem

Description

I have a docker container as an Arch-based Linux distro. Usually I create the container and I push it by the build-push-action but when I create and push the container by this action, when I pull the image and run the container, the filesystem root has the following permissions:

drwxr-xr-x root root  26 B Wed Jun  5 10:27:55 2024  .
drwxr-xr-x root root  26 B Wed Jun  5 10:27:55 2024  ..
.rwxr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  .dockerenv
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  bin ⇒ usr/bin
drwxr-xr-x root root   0 B Sun Apr  7 18:02:30 2024  boot
drwxr-xr-x root root 420 B Wed Jun  5 10:27:55 2024  dev
drwxrwxrwx root root 140 B Wed Jun  5 10:27:58 2024  etc
drwxr-xr-x root root  12 B Wed Jun  5 10:09:04 2024  home
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  lib ⇒ usr/lib
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  lib64 ⇒ usr/lib
drwxr-xr-x root root   0 B Sun Apr  7 18:02:30 2024  mnt
drwxr-xr-x root root  30 B Wed Jun  5 10:07:57 2024  opt
dr-xr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  proc
drwxr-x--- root root  20 B Wed Jun  5 10:09:03 2024 󰉐 root
drwxr-xr-x root root 460 B Wed Jun  5 10:28:00 2024  run
lrwxrwxrwx root root   7 B Sun Apr  7 18:02:30 2024  sbin ⇒ usr/bin
drwxr-xr-x root root  14 B Sun Jun  2 03:31:09 2024  srv
dr-xr-xr-x root root   0 B Wed Jun  5 10:27:55 2024  sys
drwxrwxrwt root root 200 B Wed Jun  5 11:17:53 2024  tmp
drwxrwxrwx root root  10 B Wed Jun  5 10:05:00 2024  usr
drwxr-xr-x root root  44 B Wed Jun  5 10:27:58 2024  var

Look at etc and usr permissions. It creates several issues (like the /etc/sudoers.d being not working if it is world writable`).

When I build the same container locally and I push it by:

git clone https://github.com/Athena-OS/athena-rdp-docker.git
cd athena-rdp-docker
docker buildx build --tag 'athena-rdp:latest' .

docker login
docker push athenaos/rdp:latest

and then I run it by docker run, the permissions are set correctly.

So I have the described issue only when I use docker action. The GitHub workflow I use for it is:

name: Scheduled Publish

on:
  schedule:
    - cron: '22 4 * * 0'
  workflow_dispatch:

jobs:
  docker-publish:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - 
        name: Log to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      -
        name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: athenaos/rdp:latest

Instructions to run the container are on README of the https://github.com/Athena-OS/athena-rdp-docker repository.

Expected behaviour

/etc and /usr directories and some their subdir should have the right permissions, for example:

drwxr-xr-x root root 3.4 KB Wed Jun  5 10:33:25 2024  etc
drwxr-xr-x root root 162 B  Wed Jun  5 10:33:25 2024  usr

Actual behaviour

The filesystem root has the following permissions:

drwxrwxrwx root root 140 B Wed Jun  5 10:27:58 2024  etc
drwxrwxrwx root root  10 B Wed Jun  5 10:05:00 2024  usr

Repository URL

https://github.com/Athena-OS/athena-rdp-docker

Workflow run URL

https://github.com/Athena-OS/athena-rdp-docker/blob/main/.github/workflows/docker-publish.yml

YAML workflow

name: Scheduled Publish

on:
  schedule:
    - cron: '22 4 * * 0'
  workflow_dispatch:

jobs:
  docker-publish:
    runs-on: ubuntu-latest
    steps:
      -
        name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - 
        name: Log to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USER }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}

      -
        name: Build and push
        uses: docker/build-push-action@v5
        with:
          push: true
          tags: athenaos/rdp:latest

Workflow logs

No response

BuildKit logs

No response

Additional info

No response

[D3vil0p3r]

I further investigated, and I noted that the issue is caused still by COPY rootfs/ / when it is parsed by build-push-action. In practice, build-push-action when copies all the files and directories to the root of the container, it copies them with all write permissions.

[crazy-max]

Thanks for reporting.

This looks related to BuildKit, not the GitHub action. Building your project with this Dockerfile locally gives the same behavior:

FROM athenaos/base:latest
RUN ls -al /
COPY rootfs/ /
RUN ls -al /

$ docker buildx build --no-cache --progress=plain .
...
#5 [internal] load build context
#5 transferring context: 1.77kB 0.2s done
#5 DONE 0.2s

#6 [2/4] RUN ls -al /
#6 0.380 total 52
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 .
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 ..
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 bin -> usr/bin
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 boot
#6 0.380 drwxr-xr-x   5 root root  340 Jun 12 14:31 dev
#6 0.380 drwxr-xr-x   1 root root 4096 Jun 12 14:31 etc
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 home
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib -> usr/lib
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib64 -> usr/lib
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 mnt
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 opt
#6 0.380 dr-xr-xr-x 494 root root    0 Jun 12 14:31 proc
#6 0.380 drwxr-x---   2 root root 4096 Apr  7 18:02 root
#6 0.380 drwxr-xr-x   2 root root 4096 Apr  7 18:02 run
#6 0.380 lrwxrwxrwx   1 root root    7 Apr  7 18:02 sbin -> usr/bin
#6 0.380 drwxr-xr-x   4 root root 4096 Jun  9 03:31 srv
#6 0.380 dr-xr-xr-x  11 root root    0 Jun  6 10:00 sys
#6 0.380 drwxrwxrwt   2 root root 4096 Apr  7 18:02 tmp
#6 0.380 drwxr-xr-x   8 root root 4096 Jun  9 03:31 usr
#6 0.380 drwxr-xr-x  12 root root 4096 Jun  9 03:31 var
#6 DONE 0.4s

#7 [3/4] COPY rootfs/ /
#7 DONE 0.1s

#8 [4/4] RUN ls -al /
#8 0.428 total 56
#8 0.428 drwxr-xr-x   1 root root 4096 Jun 12 14:31 .
#8 0.428 drwxr-xr-x   1 root root 4096 Jun 12 14:31 ..
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 bin -> usr/bin
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 boot
#8 0.428 drwxr-xr-x   5 root root  340 Jun 12 14:31 dev
#8 0.428 drwxrwxrwx   1 root root 4096 Jun 12 14:31 etc
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 home
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib -> usr/lib
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 lib64 -> usr/lib
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 mnt
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 opt
#8 0.428 dr-xr-xr-x 496 root root    0 Jun 12 14:31 proc
#8 0.428 drwxr-x---   2 root root 4096 Apr  7 18:02 root
#8 0.428 drwxr-xr-x   2 root root 4096 Apr  7 18:02 run
#8 0.428 lrwxrwxrwx   1 root root    7 Apr  7 18:02 sbin -> usr/bin
#8 0.428 drwxr-xr-x   4 root root 4096 Jun  9 03:31 srv
#8 0.428 dr-xr-xr-x  11 root root    0 Jun  6 10:00 sys
#8 0.428 drwxrwxrwt   2 root root 4096 Apr  7 18:02 tmp
#8 0.428 drwxrwxrwx   1 root root 4096 Jun 12 14:27 usr
#8 0.428 drwxr-xr-x  12 root root 4096 Jun  9 03:31 var
#8 DONE 0.5s
...

Related issue is here: https://github.com/moby/buildkit/issues/3602

[D3vil0p3r]

@crazy-max thanks for the answer. The strange fact is that the mentioned open issue was opened 1 year ago, but I experienced this issue only in the last month... And if I manually build the image, it works correctly. If I use the mentioned GH actions no...

Indeed the latest pushed image in docker hub of Athena OS was built locally and you can see that the permissions are set correctly.

[crazy-max]

@D3vil0p3r This seems link to a regression since BuildKit 0.13: https://github.com/moby/buildkit/issues/5066

Can you try with:

      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: image=moby/buildkit:v0.12.5

[D3vil0p3r]

Hey @crazy-max by using your workaround, the permissions are set now correctly. Thank you.

I guess that buildkit must fix the issue.