2141452 – buildah: ubi8 sticky bit removed from /tmp

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2141452 - buildah: ubi8 sticky bit removed from /tmp

Summary: buildah: ubi8 sticky bit removed from /tmp

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	buildah
Sub Component:
Version:	8.6
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	8.8
Assignee:	Jindrich Novy
QA Contact:	Joy Pu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2138434 2152001 2152017 2152023
TreeView+	depends on / blocked

Reported:	2022-11-09 22:20 UTC by Derrick Ornelas
Modified:	2023-05-16 09:10 UTC (History)
CC List:	19 users (show)
Fixed In Version:	buildah-1.28.2-2.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2138434
Clones:	2152001 2152017 (view as bug list)
Environment:
Last Closed:	2023-05-16 08:22:23 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	containers buildah pull 4411	None	Merged	copier.Put(): clear up os/syscall mode bit confusion	2022-12-09 06:13:42 UTC
Red Hat Issue Tracker	RHELPLAN-138880	None	None	None	2022-11-09 22:35:16 UTC
Red Hat Product Errata	RHSA-2023:2758	None	None	None	2023-05-16 08:23:44 UTC

Description Derrick Ornelas 2022-11-09 22:20:58 UTC

+++ This bug was initially created as a clone of Bug #2138434 +++

Description of problem:

The sticky bit has been removed from /tmp directory in ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983. It was present in previous image ubi8/ubi:8.6-943.1665521450.

Version-Release number of selected component (if applicable):

ubi8/ubi:8.6-990 and ubi8/ubi:8.6-983

How reproducible: see Steps to Reproduce below.

Steps to Reproduce:
1. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-990 ls -ld /tmp
2. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-983 ls -ld /tmp
3. podman run -ti registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450 ls -ld /tmp

Actual results:

For ubi8/ubi:8.6-983:

drwxrwxrwx. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwx. 2 root root 58 Oct 26 11:23 /tmp

Expected results:

For ubi8/ubi:8.6-983:

drwxrwxrwt. 2 root root 58 Oct 19 04:57 /tmp

For ubi8/ubi:8.6-990:

drwxrwxrwt. 2 root root 58 Oct 26 11:23 /tmp

Additional info:

No longer compliant with https://static.open-scap.org/ssg-guides/ssg-rhel8-guide-stig.html#xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits

--- Additional comment from Jason Frey on 2022-11-08 11:28:23 EST ---

One side effect of this is that in Ruby, `Dir.tmpdir` refuses to use /tmp dir resulting in an exception: "ArgumentError (could not find a temporary directory)".  See also https://gitlab.com/gitlab-org/charts/gitlab/-/issues/3933.


Another view using `stat`

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-943.1665521450

[root@6dc45f004085 /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:8.6-983

[root@68270b51c126 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)

--- Additional comment from Jason Frey on 2022-11-08 12:23:37 EST ---

ubi9 is also affected as of ubi9/ubi:9.0.0-1640.1666621574.


$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi9/ubi:9.0.0-1640.1665068441

[root@35e71c989f5a /]# stat /tmp | grep Access
Access: (1777/drwxrwxrwt)  Uid: (    0/    root)   Gid: (    0/    root)

$ docker run --rm -it --entrypoint /bin/bash registry.access.redhat.com/ubi8/ubi:9.0.0-1640.1666621574

[root@d4a641cdda41 /]# stat /tmp | grep Access
Access: (0777/drwxrwxrwx)  Uid: (    0/    root)   Gid: (    0/    root)


Additionally, the minimal variants also are affected.

One interesting note here is that this also aligns in what appears to be a reduction from 2 layers to 1 layer which can be seen during a docker pull.

Comment 2 Tom Sweeney 2022-12-08 20:22:05 UTC

Fixed with https://github.com/containers/buildah/pull/4411 upstream.

Comment 4 Tom Sweeney 2022-12-08 20:24:21 UTC

Setting to Post an assigning to @jnovy@jnovy for any further BZ or packaging needs.

Comment 8 Joy Pu 2022-12-29 03:07:08 UTC

Test with buildah-1.28.2-2.module+el8.8.0+17458+77eef5df.x86_64 the "t" flag still exist after build. So move this to verified. Details:

[root@cloud-qe-05 test]#  buildah bud -t sticky-test .
STEP 1/23: FROM scratch
STEP 2/23: ADD rhel-base-fs-container-8.6-2480.x86_64.tar.gz /
STEP 3/23: ADD tls-ca-bundle.pem /tmp/tls-ca-bundle.pem
STEP 4/23: ADD atomic-reactor-repos/* /etc/yum.repos.d/
STEP 5/23: LABEL maintainer="Red Hat, Inc."
STEP 6/23: LABEL com.redhat.component="ubi8-container"       name="ubi8"       version="8.6"
STEP 7/23: LABEL com.redhat.license_terms="https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI"
STEP 8/23: LABEL summary="Provides the latest release of Red Hat Universal Base Image 8."
STEP 9/23: LABEL description="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly."
STEP 10/23: LABEL io.k8s.display-name="Red Hat Universal Base Image 8"
STEP 11/23: LABEL io.openshift.expose-services=""
STEP 12/23: LABEL io.openshift.tags="base rhel8"
STEP 13/23: ENV container oci
STEP 14/23: ENV PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
STEP 15/23: CMD ["/bin/bash"]
STEP 16/23: RUN rm -rf /var/log/*
STEP 17/23: RUN mkdir -p /var/log/rhsm
STEP 18/23: LABEL release=1054
STEP 19/23: ADD ubi8-container-8.6-1054.json /root/buildinfo/content_manifests/ubi8-container-8.6-1054.json
STEP 20/23: ADD Dockerfile-ubi8-8.6-1054 /root/buildinfo/Dockerfile-ubi8-8.6-1054
STEP 21/23: LABEL "distribution-scope"="public" "vendor"="Red Hat, Inc." "build-date"="2022-12-19T02:04:53" "architecture"="x86_64" "vcs-type"="git" "vcs-ref"="f1ee6e37554363ec55e0035aba1a693d3627fdeb" "io.k8s.description"="The Universal Base Image is designed and engineered to be the base layer for all of your containerized applications, middleware and utilities. This base image is freely redistributable, but Red Hat only supports Red Hat technologies through subscriptions for Red Hat products. This image is maintained by Red Hat and updated regularly." "url"="https://access.redhat.com/containers/#/registry.access.redhat.com/ubi8/images/8.6-1054"
STEP 22/23: RUN rm -f '/etc/yum.repos.d/beaker-AppStream.repo'
STEP 23/23: RUN rm -f /tmp/tls-ca-bundle.pem
COMMIT sticky-test
Getting image source signatures
Copying blob c7ec59e00aff done  
Copying config 0a798409b4 done  
Writing manifest to image destination
Storing signatures
--> 0a798409b42
Successfully tagged localhost/sticky-test:latest
0a798409b422bcf40e0ea03d72ab1845e5afb45528fd95a81bdd4a84e82cf465
[root@cloud-qe-05 test]# buildah from sticky-test
sticky-test-working-container
[root@cloud-qe-05 test]#  buildah run sticky-test-working-container ls -ld /tmp/
drwxrwxrwt. 2 root root 58 Dec 29 03:01 /tmp/

Comment 10 errata-xmlrpc 2023-05-16 08:22:23 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2758

Note You need to log in before you can comment on or make changes to this bug.