Merge pull request #1739 from giuseppe/fix-root-permission-force-mask

archive: fix mode for root dir with ForceMask
containers · Oct 30, 2023 · 9665477 · 9665477
2 parents 1fa2bd4 + ff5851d
commit 9665477
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/pkg/archive/archive.go b/pkg/archive/archive.go
@@ -955,14 +955,8 @@ func Unpack(decompressedArchive io.Reader, dest string, options *TarOptions) err
 	if options.ForceMask != nil {
 		// if ForceMask is in place, make sure lchown is disabled.
 		doChown = false
-		uid, gid, mode, err := GetFileOwner(dest)
-		if err == nil {
-			value := fmt.Sprintf("%d:%d:0%o", uid, gid, mode)
-			if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
-				return err
-			}
-		}
 	}
+	var rootHdr *tar.Header
 
 	// Iterate through the files in the archive.
 loop:
@@ -1007,6 +1001,9 @@ loop:
 		if err != nil {
 			return err
 		}
+		if rel == "." {
+			rootHdr = hdr
+		}
 		if strings.HasPrefix(rel, ".."+string(os.PathSeparator)) {
 			return breakoutError(fmt.Errorf("%q is outside of %q", hdr.Name, dest))
 		}
@@ -1080,6 +1077,14 @@ loop:
 			return err
 		}
 	}
+
+	if options.ForceMask != nil && rootHdr != nil {
+		value := fmt.Sprintf("%d:%d:0%o", rootHdr.Uid, rootHdr.Gid, rootHdr.Mode)
+		if err := system.Lsetxattr(dest, idtools.ContainersOverrideXattr, []byte(value), 0); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }