From 7749a0d5c44155f79d0eb1472eb5fbd80cf9fd45 Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:16:25 +0200
Subject: [PATCH 1/3] build_library: Don't preserve file ownership when copying
 sysext files

The docker and containerd copy files from the repository, which are owned by
the sdk user. This ownership leaks into the final image, which means the first
created user could edit systemd files. This is bad.

Modify the cp invocation to copy files without preserving ownership. The
sysext-mangle script is called by build_sysext, which is executed using sudo.

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_library/sysext_mangle_containerd-flatcar | 3 ++-
 build_library/sysext_mangle_docker-flatcar     | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/build_library/sysext_mangle_containerd-flatcar b/build_library/sysext_mangle_containerd-flatcar
index 1d3502d33ae..37b89e52dde 100755
--- a/build_library/sysext_mangle_containerd-flatcar
+++ b/build_library/sysext_mangle_containerd-flatcar
@@ -12,7 +12,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
diff --git a/build_library/sysext_mangle_docker-flatcar b/build_library/sysext_mangle_docker-flatcar
index b2c055324dc..69287160233 100755
--- a/build_library/sysext_mangle_docker-flatcar
+++ b/build_library/sysext_mangle_docker-flatcar
@@ -11,7 +11,8 @@ script_root="$(cd "$(dirname "$0")/../"; pwd)"
 files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/docker"
 
 echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
-cp -va "${files_dir}/"* "${rootfs}"
+# ATTENTION: don't preserve ownership as repo is owned by sdk user
+cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 
 mkdir -p "${rootfs}/usr/lib/systemd/system/sockets.target.d"
 { echo "[Unit]"; echo "Upholds=docker.socket"; } > "${rootfs}/usr/lib/systemd/system/sockets.target.d/10-docker-socket.conf"

From cf025a2be9fc24c1ede2616119f87ff52ed5f23e Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:42:34 +0200
Subject: [PATCH 2/3] build_sysext: Add check for invalid file permissions in
 sysext

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 build_sysext | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/build_sysext b/build_sysext
index 7986adb96d3..823313ef3d2 100755
--- a/build_sysext
+++ b/build_sysext
@@ -295,6 +295,12 @@ printf '%s\n' "${all_fields[@]}" >"${BUILD_DIR}/install-root/usr/lib/extension-r
 info "Removing opaque directory markers to always merge all contents"
 find "${BUILD_DIR}/install-root" -xdev -type d -exec sh -c 'if [ "$(attr -R -q -g overlay.opaque {} 2>/dev/null)" = y ]; then attr -R -r overlay.opaque {}; fi' \;
 
+info "Checking for invalid file ownership"
+invalid_files=$(find "${BUILD_DIR}/install-root" -user sdk -or -group sdk)
+if [[ -n "${invalid_files}" ]]; then
+  die "Invalid file ownership: ${invalid_files}"
+fi
+
 mksquashfs "${BUILD_DIR}/install-root" "${BUILD_DIR}/${SYSEXTNAME}.raw" \
                -noappend -xattrs-exclude '^btrfs.' -comp "${FLAGS_compression}" ${FLAGS_mksquashfs_opts}
 rm -rf "${BUILD_DIR}"/{fs-root,install-root,workdir}

From fa050e999d3d1466148ff8d3301bb9590ca9b93c Mon Sep 17 00:00:00 2001
From: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Date: Fri, 30 Aug 2024 09:52:50 +0200
Subject: [PATCH 3/3] changelog: Add entry for sysext file ownership bugfix

Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
---
 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md

diff --git a/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
new file mode 100644
index 00000000000..2c0c2929097
--- /dev/null
+++ b/changelog/bugfixes/2024-08-30-fix-sysext-file-ownership.md
@@ -0,0 +1 @@
+- Fix ownership of systemd units shipped with built-in docker/containerd sysexts. The files shipped on production images were accidentally owned by 1000:1000 instead of 0:0. This uid/gid is not present on Flatcar images but would be assigned to the first created user. Due to contents of sysexts and /usr being readonly on Flatcar, the invalid permissions can't be used to escalate privileges. ([scripts#2266](https://github.com/flatcar/scripts/pull/2266))