Dockerfile ADD not preserving "s" file attribute.

[pauldotknopf]

> ls -l root.x86_64/sbin/unix_chkpwd
-rwsr-sr-x 1 root root 31392 Jun  9  2016 root.x86_64/sbin/unix_chkpwd

Then I add the folder with the docker file.

ADD root.x86_64 /

When the image is built, the permissions are different. Running from within the container:

> ls -l /sbin/unix_chkpwd
-rwxr-xr-x 1 root root 31392 Jun  9  2016 /sbin/unix_chkpwd

> docker --version
Docker version 18.01.0-ce, build 03596f51b1

[pauldotknopf]

It works if I add a tar.gz, and let Docker extract the tarbal.

ADD archlinux-bootstrap-2018.02.01-x86_64.tar.gz /
RUN ls -l /root.x86_64/sbin/unix_chkpwd

This is the output.

-rwsr-sr-x 1 root root 31392 Jun  9  2016 /root.x86_64/sbin/unix_chkpwd

[AkihiroSuda]

@tonistiigi @vdemeester @dnephin

Was this intentional?

[dnephin]

I'm not aware of any reason this would be intentional.

[pauldotknopf]

Original question which helped me figure out what the issue was: https://unix.stackexchange.com/questions/422411/pam-authentication-failure-with-valid-password

[pauldotknopf]

What is the status of this? Any estimate for fix?

[AkihiroSuda]

cc @tonistiigi PTAL?

[SmilingNavern]

I would like to try to fix this one.

[AkihiroSuda]

Thanks, PR is appreciated

[SmilingNavern]

Okay, i think i got it. It looks like file with permissions is created before issuing chown syscall on it. And in linux if you make chown that discards suid bit permissions.

[SmilingNavern]

@AkihiroSuda i've created PR for this bug, but i am not sure about implementation. I would be glad to read your comments on this one

[thaJeztah]

Looks like this issue only affects the classic builder, and is fixed with BuildKit enabled;

mkdir repro-36239 && cd repro-36239 
touch 1.bin
chmod 700 1.bin
chmod u+xs 1.bin

ls -la 1.bin
# -rws------ 1 root root 0 Jan 28 10:16 1.bin

echo -e 'FROM busybox:latest\nADD 1.bin /1.bin' > Dockerfile

DOCKER_BUILDKIT=0 docker build -t test .
docker run --rm test ls -la /1.bin
# -rwx------    1 root     root             0 Jan 28 10:16 /1.bin


DOCKER_BUILDKIT=1 docker build -t test .
docker run --rm test ls -la /1.bin
# -rws------    1 root     root             0 Jan 28 10:16 /1.bin

[thaJeztah]

Just to check; docker cp and docker commit als seem to work;

docker run -di --name test busybox

docker cp ./1.bin test:/
docker exec test ls -la /1.bin
# -rws------    1 root     root             0 Jan 28 10:16 /1.bin

docker commit test testimage
docker run --rm testimage ls -la /1.bin
# -rws------    1 root     root             0 Jan 28 10:16 /1.bin