github.com/docker/docker@v299999999.0.0-20200612211812-aaf470eca7b5+incompatible/pkg/idtools/idtools_unix.go (about) 1 // +build !windows 2 3 package idtools // import "github.com/docker/docker/pkg/idtools" 4 5 import ( 6 "bytes" 7 "fmt" 8 "io" 9 "os" 10 "path/filepath" 11 "strconv" 12 "strings" 13 "sync" 14 "syscall" 15 16 "github.com/docker/docker/pkg/system" 17 "github.com/opencontainers/runc/libcontainer/user" 18 "github.com/pkg/errors" 19 ) 20 21 var ( 22 entOnce sync.Once 23 getentCmd string 24 ) 25 26 func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error { 27 // make an array containing the original path asked for, plus (for mkAll == true) 28 // all path components leading up to the complete path that don't exist before we MkdirAll 29 // so that we can chown all of them properly at the end. If chownExisting is false, we won't 30 // chown the full directory path if it exists 31 32 var paths []string 33 34 stat, err := system.Stat(path) 35 if err == nil { 36 if !stat.IsDir() { 37 return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR} 38 } 39 if !chownExisting { 40 return nil 41 } 42 43 // short-circuit--we were called with an existing directory and chown was requested 44 return lazyChown(path, owner.UID, owner.GID, stat) 45 } 46 47 if os.IsNotExist(err) { 48 paths = []string{path} 49 } 50 51 if mkAll { 52 // walk back to "/" looking for directories which do not exist 53 // and add them to the paths array for chown after creation 54 dirPath := path 55 for { 56 dirPath = filepath.Dir(dirPath) 57 if dirPath == "/" { 58 break 59 } 60 if _, err := os.Stat(dirPath); err != nil && os.IsNotExist(err) { 61 paths = append(paths, dirPath) 62 } 63 } 64 if err := system.MkdirAll(path, mode); err != nil { 65 return err 66 } 67 } else { 68 if err := os.Mkdir(path, mode); err != nil && !os.IsExist(err) { 69 return err 70 } 71 } 72 // even if it existed, we will chown the requested path + any subpaths that 73 // didn't exist when we called MkdirAll 74 for _, pathComponent := range paths { 75 if err := lazyChown(pathComponent, owner.UID, owner.GID, nil); err != nil { 76 return err 77 } 78 } 79 return nil 80 } 81 82 // CanAccess takes a valid (existing) directory and a uid, gid pair and determines 83 // if that uid, gid pair has access (execute bit) to the directory 84 func CanAccess(path string, pair Identity) bool { 85 statInfo, err := system.Stat(path) 86 if err != nil { 87 return false 88 } 89 fileMode := os.FileMode(statInfo.Mode()) 90 permBits := fileMode.Perm() 91 return accessible(statInfo.UID() == uint32(pair.UID), 92 statInfo.GID() == uint32(pair.GID), permBits) 93 } 94 95 func accessible(isOwner, isGroup bool, perms os.FileMode) bool { 96 if isOwner && (perms&0100 == 0100) { 97 return true 98 } 99 if isGroup && (perms&0010 == 0010) { 100 return true 101 } 102 if perms&0001 == 0001 { 103 return true 104 } 105 return false 106 } 107 108 // LookupUser uses traditional local system files lookup (from libcontainer/user) on a username, 109 // followed by a call to `getent` for supporting host configured non-files passwd and group dbs 110 func LookupUser(username string) (user.User, error) { 111 // first try a local system files lookup using existing capabilities 112 usr, err := user.LookupUser(username) 113 if err == nil { 114 return usr, nil 115 } 116 // local files lookup failed; attempt to call `getent` to query configured passwd dbs 117 usr, err = getentUser(fmt.Sprintf("%s %s", "passwd", username)) 118 if err != nil { 119 return user.User{}, err 120 } 121 return usr, nil 122 } 123 124 // LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid, 125 // followed by a call to `getent` for supporting host configured non-files passwd and group dbs 126 func LookupUID(uid int) (user.User, error) { 127 // first try a local system files lookup using existing capabilities 128 usr, err := user.LookupUid(uid) 129 if err == nil { 130 return usr, nil 131 } 132 // local files lookup failed; attempt to call `getent` to query configured passwd dbs 133 return getentUser(fmt.Sprintf("%s %d", "passwd", uid)) 134 } 135 136 func getentUser(args string) (user.User, error) { 137 reader, err := callGetent(args) 138 if err != nil { 139 return user.User{}, err 140 } 141 users, err := user.ParsePasswd(reader) 142 if err != nil { 143 return user.User{}, err 144 } 145 if len(users) == 0 { 146 return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", strings.Split(args, " ")[1]) 147 } 148 return users[0], nil 149 } 150 151 // LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name, 152 // followed by a call to `getent` for supporting host configured non-files passwd and group dbs 153 func LookupGroup(groupname string) (user.Group, error) { 154 // first try a local system files lookup using existing capabilities 155 group, err := user.LookupGroup(groupname) 156 if err == nil { 157 return group, nil 158 } 159 // local files lookup failed; attempt to call `getent` to query configured group dbs 160 return getentGroup(fmt.Sprintf("%s %s", "group", groupname)) 161 } 162 163 // LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID, 164 // followed by a call to `getent` for supporting host configured non-files passwd and group dbs 165 func LookupGID(gid int) (user.Group, error) { 166 // first try a local system files lookup using existing capabilities 167 group, err := user.LookupGid(gid) 168 if err == nil { 169 return group, nil 170 } 171 // local files lookup failed; attempt to call `getent` to query configured group dbs 172 return getentGroup(fmt.Sprintf("%s %d", "group", gid)) 173 } 174 175 func getentGroup(args string) (user.Group, error) { 176 reader, err := callGetent(args) 177 if err != nil { 178 return user.Group{}, err 179 } 180 groups, err := user.ParseGroup(reader) 181 if err != nil { 182 return user.Group{}, err 183 } 184 if len(groups) == 0 { 185 return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", strings.Split(args, " ")[1]) 186 } 187 return groups[0], nil 188 } 189 190 func callGetent(args string) (io.Reader, error) { 191 entOnce.Do(func() { getentCmd, _ = resolveBinary("getent") }) 192 // if no `getent` command on host, can't do anything else 193 if getentCmd == "" { 194 return nil, fmt.Errorf("") 195 } 196 out, err := execCmd(getentCmd, args) 197 if err != nil { 198 exitCode, errC := system.GetExitCode(err) 199 if errC != nil { 200 return nil, err 201 } 202 switch exitCode { 203 case 1: 204 return nil, fmt.Errorf("getent reported invalid parameters/database unknown") 205 case 2: 206 terms := strings.Split(args, " ") 207 return nil, fmt.Errorf("getent unable to find entry %q in %s database", terms[1], terms[0]) 208 case 3: 209 return nil, fmt.Errorf("getent database doesn't support enumeration") 210 default: 211 return nil, err 212 } 213 214 } 215 return bytes.NewReader(out), nil 216 } 217 218 // lazyChown performs a chown only if the uid/gid don't match what's requested 219 // Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the 220 // dir is on an NFS share, so don't call chown unless we absolutely must. 221 func lazyChown(p string, uid, gid int, stat *system.StatT) error { 222 if stat == nil { 223 var err error 224 stat, err = system.Stat(p) 225 if err != nil { 226 return err 227 } 228 } 229 if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) { 230 return nil 231 } 232 return os.Chown(p, uid, gid) 233 } 234 235 // NewIdentityMapping takes a requested username and 236 // using the data from /etc/sub{uid,gid} ranges, creates the 237 // proper uid and gid remapping ranges for that user/group pair 238 func NewIdentityMapping(username string) (*IdentityMapping, error) { 239 usr, err := LookupUser(username) 240 if err != nil { 241 return nil, fmt.Errorf("Could not get user for username %s: %v", username, err) 242 } 243 244 uid := strconv.Itoa(usr.Uid) 245 246 subuidRangesWithUserName, err := parseSubuid(username) 247 if err != nil { 248 return nil, err 249 } 250 subgidRangesWithUserName, err := parseSubgid(username) 251 if err != nil { 252 return nil, err 253 } 254 255 subuidRangesWithUID, err := parseSubuid(uid) 256 if err != nil { 257 return nil, err 258 } 259 subgidRangesWithUID, err := parseSubgid(uid) 260 if err != nil { 261 return nil, err 262 } 263 264 subuidRanges := append(subuidRangesWithUserName, subuidRangesWithUID...) 265 subgidRanges := append(subgidRangesWithUserName, subgidRangesWithUID...) 266 267 if len(subuidRanges) == 0 { 268 return nil, errors.Errorf("no subuid ranges found for user %q", username) 269 } 270 if len(subgidRanges) == 0 { 271 return nil, errors.Errorf("no subgid ranges found for user %q", username) 272 } 273 274 return &IdentityMapping{ 275 uids: createIDMap(subuidRanges), 276 gids: createIDMap(subgidRanges), 277 }, nil 278 }