Skip to content

cp, save and export allow replacing irregular files #1514

New issue
New issue
Closed
#1515
Closed
cp, save and export allow replacing irregular files#1514
#1515
Labels
area/distribution
@sw-pschmied

Description

@sw-pschmied
sw-pschmied
opened on Nov 13, 2018

Description

The docker commands cp, save and export allow replacing irregular files - e.g. devices under /dev. Please see the following screenshot to demonstrate this misbehaviour:

docker-dev-random

As you can see, the device /dev/random was replaced with a file containing the saved docker image. This was originally discovered when executing docker save <image> -o /dev/null when performing tests, only to find out that applications relying on the /dev/null device are misbehaving.

While I think there's no valid use-case for this behaviour the best solution would be to disallow irregular files for the commands mentioned above. This prevents people from accidentally damaging parts of their system.

A PR regarding this is on its way.

Steps to reproduce the issue:

  1. Pull an arbitrary docker image: docker pull ubuntu:latest
  2. Save the pulled image to a file using the -o option: docker save ubuntu:latest -o /dev/random
  3. Confirm that the device itself has been replaced with a regular file: stat /dev/random shows regular file instead of character special file.

Describe the results you received:

The device/irregular file has been replaced with the output of cp/export/save

Describe the results you expected:

Replacing devices/irregular files should be prevented by the CLI to prevent system damage.

Output of docker version:

Docker version 19.03.0-dev, build 374b480e

Output of docker info:

Containers: 1
 Running: 0
 Paused: 0
 Stopped: 1
Images: 187
Server Version: 17.12.1-ce
Storage Driver: overlay2
 Backing Filesystem: extfs
 Supports d_type: true
 Native Overlay Diff: true
Logging Driver: json-file
Cgroup Driver: cgroupfs
Plugins:
 Volume: local
 Network: bridge host macvlan null overlay
 Log: awslogs fluentd gcplogs gelf journald json-file logentries splunk syslog
Swarm: inactive
Runtimes: runc
Default Runtime: runc
Init Binary: docker-init
containerd version: 9b55aab90508bd389d7654c4baf173a981477d55
runc version: 9f9c96235cc97674e935002fc3d78361b696a69e
init version: v0.13.0 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
 apparmor
 seccomp
  Profile: default
Kernel Version: [...]
Operating System: Ubuntu 18.04.1 LTS
OSType: linux
Architecture: x86_64
CPUs: 4
Total Memory: 15.55GiB
Name: [...]
ID: CR7L:OCP4:IZ76:VHOD:ZCDV:PLTN:QKYD:D7TV:OYKN:3QB5:TQTN:QCAK
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Labels:
Experimental: false
Insecure Registries:
 127.0.0.0/8
Live Restore Enabled: false

WARNING: No swap limit support

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/distribution

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions