New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to set SGID for file with different user and group #6828

Closed
andypp opened this Issue Jul 3, 2014 · 18 comments

Comments

Projects
None yet
9 participants
@andypp

andypp commented Jul 3, 2014

SGID can be set for a file with same user and group but not if the user is different with the group

bash-4.1# touch afile
bash-4.1# ls -l afile
-rw-r--r-- 1 root root 0 Jul  3 00:56 afile
bash-4.1# chmod 6754 afile
bash-4.1# ls -l afile
-rwsr-sr-- 1 root root 0 Jul  3 00:56 afile
bash-4.1# chown root:users afile
bash-4.1# ls -l afile
-rwxr-xr-- 1 root users 0 Jul  3 00:56 afile
bash-4.1# chmod 6754 afile
bash-4.1# ls -l afile
-rwsr-xr-- 1 root users 0 Jul  3 00:56 afile

Docker version: 1.0.0, build 63fe64c/1.0.0 on Centos 6.5
Image: centos:6.4 and ubuntu:12.04

@Bacto

This comment has been minimized.

Show comment
Hide comment
@Bacto

Bacto Jul 7, 2014

Hi,

I have exactly the same problem with setgid :

root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-sr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-sr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chgrp root postqueue
root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-sr-x 1 root root 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chgrp postdrop postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

Docker 1.1.0 on Ubuntu 12.04 and personalized kernel.
Image Ubuntu 14.04

Bacto commented Jul 7, 2014

Hi,

I have exactly the same problem with setgid :

root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-sr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-sr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chgrp root postqueue
root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-sr-x 1 root root 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chgrp postdrop postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

root@bc5dc91d86ff:/usr/sbin# chmod g+s postqueue
root@bc5dc91d86ff:/usr/sbin# ls -al postqueue
-r-xr-xr-x 1 root postdrop 14280 Feb 12 06:23 postqueue

Docker 1.1.0 on Ubuntu 12.04 and personalized kernel.
Image Ubuntu 14.04

@Bacto

This comment has been minimized.

Show comment
Hide comment
@Bacto

Bacto Jul 9, 2014

I have tested it on a fresh Ubuntu 14.04 install, with the Ubuntu kernel and have the same problem.

Client version: 1.1.0
Client API version: 1.13
Go version (client): go1.2.1
Git commit (client): 79812e3
Server version: 1.1.0
Server API version: 1.13
Go version (server): go1.2.1
Git commit (server): 79812000

Bacto commented Jul 9, 2014

I have tested it on a fresh Ubuntu 14.04 install, with the Ubuntu kernel and have the same problem.

Client version: 1.1.0
Client API version: 1.13
Go version (client): go1.2.1
Git commit (client): 79812e3
Server version: 1.1.0
Server API version: 1.13
Go version (server): go1.2.1
Git commit (server): 79812000
@Bacto

This comment has been minimized.

Show comment
Hide comment
@Bacto

Bacto Jul 10, 2014

I don't have the problem with Docker 0.11.1
The problem start with Docker 0.12.0

Bacto commented Jul 10, 2014

I don't have the problem with Docker 0.11.1
The problem start with Docker 0.12.0

@bobtfish

This comment has been minimized.

Show comment
Hide comment
@bobtfish

bobtfish Jul 10, 2014

+1, this is a big issue for running postfix inside docker.

bobtfish commented Jul 10, 2014

+1, this is a big issue for running postfix inside docker.

@dominikschulz

This comment has been minimized.

Show comment
Hide comment
@dominikschulz

dominikschulz commented Jul 10, 2014

👍

@Elemecca

This comment has been minimized.

Show comment
Hide comment
@Elemecca

Elemecca Jul 10, 2014

I'm experiencing this problem as well on Docker 1.0. As noted in the original description, contained processes can only assert the setgid bit on files where both the owner and group match those of the process. It is therefore possible to work around the issue by temporarily changing the owner and group to match the contained process:

$ mkdir -p /var/log/foo/bar
$ chown root:root /var/log/foo/bar
$ chmod u=rwx,g=rxs,o= /var/log/foo/bar
$ chown foo:adm /var/log/foo/bar

Elemecca commented Jul 10, 2014

I'm experiencing this problem as well on Docker 1.0. As noted in the original description, contained processes can only assert the setgid bit on files where both the owner and group match those of the process. It is therefore possible to work around the issue by temporarily changing the owner and group to match the contained process:

$ mkdir -p /var/log/foo/bar
$ chown root:root /var/log/foo/bar
$ chmod u=rwx,g=rxs,o= /var/log/foo/bar
$ chown foo:adm /var/log/foo/bar
@bobtfish

This comment has been minimized.

Show comment
Hide comment
@bobtfish

bobtfish Jul 10, 2014

That doesn't work? Changing the owner/group of a file resets the suid/sgid bit.

bobtfish commented Jul 10, 2014

That doesn't work? Changing the owner/group of a file resets the suid/sgid bit.

@Elemecca

This comment has been minimized.

Show comment
Hide comment
@Elemecca

Elemecca Jul 10, 2014

@bobtfish It works for me, maybe because /var/log/foo is a volume. Version info:

$ docker version
Client version: 1.0.0
Client API version: 1.12
Go version (client): go1.2.1
Git commit (client): 63fe64c
Server version: 1.0.0
Server API version: 1.12
Go version (server): go1.2.1
Git commit (server): 63fe64c
$ docker info
Containers: 0
Images: 833
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 833
Execution Driver: native-0.2
Kernel Version: 3.13.0-29-generic
WARNING: No swap limit support

Elemecca commented Jul 10, 2014

@bobtfish It works for me, maybe because /var/log/foo is a volume. Version info:

$ docker version
Client version: 1.0.0
Client API version: 1.12
Go version (client): go1.2.1
Git commit (client): 63fe64c
Server version: 1.0.0
Server API version: 1.12
Go version (server): go1.2.1
Git commit (server): 63fe64c
$ docker info
Containers: 0
Images: 833
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 833
Execution Driver: native-0.2
Kernel Version: 3.13.0-29-generic
WARNING: No swap limit support
@cpuguy83

This comment has been minimized.

Show comment
Hide comment
@cpuguy83

cpuguy83 Jul 11, 2014

Contributor

Working for me.

Contributor

cpuguy83 commented Jul 11, 2014

Working for me.

@bobtfish

This comment has been minimized.

Show comment
Hide comment
@bobtfish

bobtfish Jul 11, 2014

https://gist.github.com/bobtfish/4aa2f8968c5cefefc9cb Definitely not working for me. @cpuguy83 what kernel and docker versions are you running / can other people run that container to confirm if they're seeing different behavior to me or not?

bobtfish commented Jul 11, 2014

https://gist.github.com/bobtfish/4aa2f8968c5cefefc9cb Definitely not working for me. @cpuguy83 what kernel and docker versions are you running / can other people run that container to confirm if they're seeing different behavior to me or not?

@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Jul 11, 2014

Collaborator

@cpuguy83 @bobtfish it cannot work, we need to add back this cap to have it working: #6970

Collaborator

vieux commented Jul 11, 2014

@cpuguy83 @bobtfish it cannot work, we need to add back this cap to have it working: #6970

@bobtfish

This comment has been minimized.

Show comment
Hide comment
@bobtfish

bobtfish Jul 11, 2014

Thanks @vieux - I have no idea what the other people in the thread think they're seeing then ;)

bobtfish commented Jul 11, 2014

Thanks @vieux - I have no idea what the other people in the thread think they're seeing then ;)

@vieux

This comment has been minimized.

Show comment
Hide comment
@vieux

vieux Jul 11, 2014

Collaborator

@bobtfish I must say at first I was expecting an error.

@cpuguy83 in the example, le last line should be -rwsr-sr-- instead of -rwsr-xr--

Collaborator

vieux commented Jul 11, 2014

@bobtfish I must say at first I was expecting an error.

@cpuguy83 in the example, le last line should be -rwsr-sr-- instead of -rwsr-xr--

@Elemecca

This comment has been minimized.

Show comment
Hide comment
@Elemecca

Elemecca Jul 11, 2014

@bobtfish Ah, sorry, I wasn't clear. I'm asserting SGID on a directory, not on a file. As far as I can tell SGID on directories has different limitations than on files, which makes sense given it also has a completely different effect.

Elemecca commented Jul 11, 2014

@bobtfish Ah, sorry, I wasn't clear. I'm asserting SGID on a directory, not on a file. As far as I can tell SGID on directories has different limitations than on files, which makes sense given it also has a completely different effect.

@winggundamth

This comment has been minimized.

Show comment
Hide comment
@winggundamth

winggundamth Jul 14, 2014

+1 I really need this to be fixed

winggundamth commented Jul 14, 2014

+1 I really need this to be fixed

@kurtseifried

This comment has been minimized.

Show comment
Hide comment
@kurtseifried

kurtseifried Sep 26, 2014

Bump. has there been any movement on this?

kurtseifried commented Sep 26, 2014

Bump. has there been any movement on this?

@winggundamth

This comment has been minimized.

Show comment
Hide comment
@winggundamth

winggundamth Sep 26, 2014

it already fixed in version 1.2.0

winggundamth commented Sep 26, 2014

it already fixed in version 1.2.0

@kurtseifried

This comment has been minimized.

Show comment
Hide comment
@kurtseifried

kurtseifried Sep 26, 2014

Ah sorry, I forgot that had shipped, didn't think to look (been a busy week).

kurtseifried commented Sep 26, 2014

Ah sorry, I forgot that had shipped, didn't think to look (been a busy week).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment