Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alpine 3.14: Potential bug in file test operator -x #180

Closed
smatting opened this issue Jun 23, 2021 · 4 comments
Closed

Alpine 3.14: Potential bug in file test operator -x #180

smatting opened this issue Jun 23, 2021 · 4 comments

Comments

@smatting
Copy link

smatting commented Jun 23, 2021
edited
Loading

Starting with alpine 3.14 the file test operator [ -x <FILE> ] seems to return false for executable files:

$ docker run -it alpine:3.14                                                        ~/repos/cailleach
/ # apk update && apk add bash
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
v3.14.0-35-g61662e7eee [https://dl-cdn.alpinelinux.org/alpine/v3.14/main]
v3.14.0-42-g4ddf944b0f [https://dl-cdn.alpinelinux.org/alpine/v3.14/community]
OK: 14921 distinct packages available
(1/4) Installing ncurses-terminfo-base (6.2_p20210612-r0)
(2/4) Installing ncurses-libs (6.2_p20210612-r0)
(3/4) Installing readline (8.1.0-r0)
(4/4) Installing bash (5.1.4-r0)
Executing bash-5.1.4-r0.post-install
Executing busybox-1.33.1-r2.trigger
OK: 8 MiB in 18 packages
/ # ls -l /usr/bin/wget
lrwxrwxrwx    1 root     root            12 Jun 15 14:34 /usr/bin/wget -> /bin/busybox
/ # bash -c 'if [ -x "/usr/bin/wget" ]; then echo "expected."; else echo "unexpected!!!"; fi'
unexpected!!!

Compare this with the same command to alpine 3.13

$ docker run -it alpine:3.13                                                        ~/repos/cailleach
/ # apk update && apk add bash
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
v3.13.5-213-g41f154cbb2 [https://dl-cdn.alpinelinux.org/alpine/v3.13/main]
v3.13.5-205-gb75f01a32f [https://dl-cdn.alpinelinux.org/alpine/v3.13/community]
OK: 13890 distinct packages available
(1/4) Installing ncurses-terminfo-base (6.2_p20210109-r0)
(2/4) Installing ncurses-libs (6.2_p20210109-r0)
(3/4) Installing readline (8.1.0-r0)
(4/4) Installing bash (5.1.0-r0)
Executing bash-5.1.0-r0.post-install
Executing busybox-1.32.1-r6.trigger
OK: 8 MiB in 18 packages
/ # ls -l /usr/bin/wget
lrwxrwxrwx    1 root     root            12 Apr 14 10:25 /usr/bin/wget -> /bin/busybox
/ # bash -c 'if [ -x "/usr/bin/wget" ]; then echo "expected."; else echo "unexpected!!!"; fi'
expected.

This could also be a bug in busybox, which provides the [ command for testing.
@tianon
Copy link
Contributor

tianon commented Jun 23, 2021

You probably need newer runc: opencontainers/runc#2750

(If you strace it, it'll probably fail with EPERM on faccessat2 😔)

@smatting
Copy link
Author

smatting commented Jun 23, 2021
edited
Loading

The problem seems to occur only with gnu bash, not busybox:

$ docker run -it alpine:3.14                                                              ~/repos/cailleach
/ # sh -c 'if [ -x "/usr/bin/wget" ]; then echo "expected."; else echo "unexpected!!!"; fi'
expected.

$ docker run -it alpine:3.14
/ # apk update && apk add bash
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
v3.14.0-35-g61662e7eee [https://dl-cdn.alpinelinux.org/alpine/v3.14/main]
v3.14.0-42-g4ddf944b0f [https://dl-cdn.alpinelinux.org/alpine/v3.14/community]
OK: 14921 distinct packages available
(1/4) Installing ncurses-terminfo-base (6.2_p20210612-r0)
(2/4) Installing ncurses-libs (6.2_p20210612-r0)
(3/4) Installing readline (8.1.0-r0)
(4/4) Installing bash (5.1.4-r0)
Executing bash-5.1.4-r0.post-install
Executing busybox-1.33.1-r2.trigger
OK: 8 MiB in 18 packages

/ # bash -c 'if [ -x "/usr/bin/wget" ]; then echo "expected."; else echo "unexpected!!!"; fi'
unexpected!!!

@smatting
Copy link
Author

You probably need newer runc: opencontainers/runc#2750

(If you strace it, it'll probably fail with EPERM on faccessat2 )

Yes it does.

/# strace bash -c 'if [ -x "/usr/bin/wget" ]; then echo "expected."; else echo "unexpected!!!"; fi'

execve("/bin/bash", ["bash", "-c", "if [ -x \"/usr/bin/wget\" ]; then "...], 0x7ffd71fecb70 /* 6 vars */) = 0
...
faccessat2(AT_FDCWD, "/usr/bin/wget", X_OK, AT_EACCESS) = -1 EPERM (Operation not permitted)
writev(1, [{iov_base="unexpected!!!", iov_len=13}, {iov_base="\n", iov_len=1}], 2unexpected!!!
) = 14
rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
exit_group(0)                           = ?
+++ exited with 0 +++

@smatting
Copy link
Author

smatting commented Jun 23, 2021
edited
Loading

I'm also experiencing this problem with Docker version 19.03.14, btw. It looks like Docker 20.10 will fix this: https://docs.docker.com/engine/release-notes/#security-2

silencebay added a commit to silencebay/clash-tproxy that referenced this issue Jul 5, 2021
@silencebay
Use alpine 3.13 as runtime
a875f42 
[alpinelinux/docker-alpine#180](alpinelinux/docker-alpine#180)
[opencontainers/runc#2750](opencontainers/runc#2750)
silencebay added a commit to silencebay/clash-tproxy that referenced this issue Jul 5, 2021
@silencebay
Use alpine 3.13 as runtime
9c8b514 
alpinelinux/docker-alpine#180
opencontainers/runc#2750
@zlogic zlogic mentioned this issue Oct 25, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smatting @tianon