os: OpenRoot follows symlinks

[glycerine]

Go version

go version 1.24.0

Output of go env in your module/workspace:

see below.

What did you do?

Reading #67002 and https://go.dev/doc/go1.24#directory-limited-filesystem-access, I was under the impression that the new os.Root was supposed to return an error on root.Open() of a symlink to /etc/ and then opening /etc/passwd.

On MacOS Sonoma 14.0, go 1.24.0 amd64:

uname -a
Darwin jbook.chimera-bass.ts.net 23.0.0 Darwin Kernel Version 23.0.0: Fri Sep 15 14\
:42:42 PDT 2023; root:xnu-10002.1.13~1/RELEASE_X86_64 x86_64

jaten@Js-MacBook-Pro ~/trash/root $ ln -s /etc symlink
ln -s /etc symlink
jaten@Js-MacBook-Pro ~/trash/root $ go run root.go
go run root.go
read file, got: '##
# User Database
# 
# Note that this file is consulted directly only when the system is running
# in single-user mode.  At other times this information is provided by
# Open Directory.
#
# See the opendirectoryd(8) man page for additional information about
# Open Directory.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:*:0:0:System Administrator:/var/root:/bin/sh
... the rest of my /etc/passwd file elided for security reasons...
'
jaten@Js-MacBook-Pro ~/trash/root $ go version
go version
go version go1.24.0 darwin/amd64
jaten@Js-MacBook-Pro ~/trash/root $ cat root.go
cat root.go
package main

import (
	"fmt"
	"os"
)

func main() {
	root, err := os.OpenRoot("symlink")
	if err != nil {
		panic(err)
	}
	fd, err := root.Open("passwd")
	if err != nil {
		panic(err)
	}
	buf := make([]byte, 1<<20)
	n, err := fd.Read(buf)
	if err != nil {
		panic(err)
	}
	fmt.Printf("read file, got: '%v'\n", string(buf[:n]))
}
jaten@Js-MacBook-Pro ~/trash/root $

jaten@Js-MacBook-Pro ~/trash/root $ go env
go env
AR='ar'
CC='clang'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='clang++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/Users/jaten/Library/Caches/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/Users/jaten/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/b6/q5ms8t4x5cjcpcpyjrb1h91c0000gn/T/go-build4060061549=/tmp/go-build -gno-record-gcc-switches -fno-common'
GOHOSTARCH='amd64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMOD=''
GOMODCACHE='/Users/jaten/go/pkg/mod'
GONOPROXY='github.com/glycerine/*'
GONOSUMDB='github.com/glycerine/*'
GOOS='darwin'
GOPATH='/Users/jaten/go'
GOPRIVATE='github.com/glycerine/*'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='off'
GOTELEMETRYDIR='/Users/jaten/Library/Application Support/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/darwin_amd64'
GOVCS=''
GOVERSION='go1.24.0'
GOWORK=''
PKG_CONFIG='pkg-config'

What did you see happen?

See above.

What did you expect to see?

Not to be able to access /etc/password from an os.Root in /Users/jaten/trash/root.

[glycerine]

@neild if this is supposed to be allowed, perhaps clarify the docs?

"Symbolic links must not be absolute." <- I was not sure if/how that was supposed to apply to pre-existing absolute symlinks. I'd like to be able to chroot a directory with absolute symlinks already in it (since I have a ton of these), but just not have them followed if opened.

[gabyhelp]

Related Issues

• path/filepath: TestEvalSymlinksAboveRoot failure on macOS #35201 (closed)
• os/user: Lookup fails to find users when running as root on darwin-arm64 cross compiled from darwin-amd64 #43543
• os: new runtime.GOOS of "ios" breaks os.User*Dir functions on GoTip for Go1.16 #42878 (closed)
• path/filepath: go test fails when GOROOT isn't writeable #23881 (closed)
• os: `UserConfigDir` and `UserCacheDir` should disallow relative paths in the environment variables #68470 (closed)
• os: `Lstat` on `darwin` sometimes fails to expand symlinks in paths with trailing slashes #59586
• path/filepath: EvalSymlinks fails to follow symlink when root entry is a symlink #39818
• os: TestFileChdir fail when GOROOT is a symbolic link #64281 (closed)
• os: Testing re. hardlinks failing on macs. #30179 (closed)
• os/exec: The TestImplicitPWD test fails when running under a soft link folder. #52537 (closed)

_{(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)}

[seankhliao]

The parts you quote are only for methods, after you've opened a root.

Conceptually, the only safe way is to start from a trusted location, in your case os.OpenRoot("."), after which you can't follow links out.

[gopherbot]

Change https://go.dev/cl/650355 mentions this issue: os: document that OpenRoot follows symlinks

[neild]

As @seankhliao says, the name passed to os.OpenRoot is expected to be a trusted path, and OpenRoot will follow symlinks in that path. Once you have an *os.Root, methods on the Root ensure that operations remain within that root. This is something the docs could probably be clearer on; sent CL 650355.

I'd like to be able to chroot a directory with absolute symlinks already in it (since I have a ton of these), but just not have them followed if opened.

If an operation in a Root would traverse an absolute symlink, the operation fails (even if the symlink resolves to a location inside the root). So I think Root behaves the way you want here.