Skip to content

fix(oci): apply absolute symlink resolution to /etc/group#12925

Open
pauloappbr wants to merge 1 commit intocontainerd:mainfrom
pauloappbr:fix/12683-apply-symlink-fix-to-groups
Open

fix(oci): apply absolute symlink resolution to /etc/group#12925
pauloappbr wants to merge 1 commit intocontainerd:mainfrom
pauloappbr:fix/12683-apply-symlink-fix-to-groups

Conversation

@pauloappbr
Copy link
Contributor

@pauloappbr pauloappbr commented Feb 20, 2026

This is a follow-up to PR #12732.

As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused openat etc/group: path escapes from parent errors when /etc/group was also an absolute symlink (e.g., in NixOS environments).

This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths.

Fixes #12683

Signed-off-by: Paulo Oliveira paulo.hco47@gmail.com

@github-project-automation github-project-automation bot moved this to Needs Triage in Pull Request Review Feb 20, 2026
@dosubot dosubot bot added area/client Go client go Pull requests that update Go code labels Feb 20, 2026
@pauloappbr pauloappbr mentioned this pull request Feb 20, 2026
Open
fuweid
fuweid requested changes Feb 21, 2026
View reviewed changes
Copy link
Member

@fuweid fuweid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. The change looks good. However, please add the UT to cover this case.

@github-project-automation github-project-automation bot moved this from Needs Triage to Needs Update in Pull Request Review Feb 21, 2026
@pauloappbr pauloappbr force-pushed the fix/12683-apply-symlink-fix-to-groups branch from 1176e7f to a5bf049 Compare February 22, 2026 00:59
@pauloappbr
Copy link
Contributor Author

pauloappbr commented Feb 22, 2026

Thanks. The change looks good. However, please add the UT to cover this case.

Done! Added TestGroupLookup_AbsoluteSymlink covering both GIDFromFS and getSupplementalGroupsFromFS absolute symlink resolution.
I also squashed the commits to keep the history clean. Let me know if it needs anything else! Thanks for the review.

@pauloappbr
fix(oci): apply absolute symlink resolution to /etc/group
fc406db 
This is a follow-up to PR containerd#12732.

As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused `openat etc/group: path escapes from parent` errors when /etc/group was also an absolute symlink (e.g., in NixOS environments).

This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths. Includes unit test for validation.

Fixes containerd#12683

Signed-off-by: Paulo Oliveira <paulo.hco47@gmail.com>
@pauloappbr pauloappbr force-pushed the fix/12683-apply-symlink-fix-to-groups branch from b98247f to fc406db Compare February 22, 2026 01:43
@fuweid fuweid added cherry-pick/2.0.x Change to be cherry picked to release/2.0 branch cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch and removed cherry-pick/2.0.x Change to be cherry picked to release/2.0 branch labels Feb 22, 2026
@eskytthe eskytthe mentioned this pull request Feb 23, 2026
Open
10 tasks
@eskytthe
Copy link

eskytthe commented Feb 23, 2026

Thanks for this @pauloappbr

MR tested on NixOS - NixOS/nixpkgs#482748 (comment) and runs fine.

(In NixOS we can add patches (commits/MRs) to packages in a simple way, and have a rather powerful test system to test packages with)

BR
Erik

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fuweid fuweid fuweid approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

area/client Go client cherry-pick/1.7.x Change to be cherry picked to release/1.7 branch cherry-pick/2.1.x Change to be cherry picked to release/2.1 branch cherry-pick/2.2.x Change to be cherry picked to release/2.2 branch go Pull requests that update Go code size/M

Projects

Pull Request Review
Status: Needs Update

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Go 1.24] v2.2.0 fails to create containers from images having /etc/{passwd,group} symlinked to an absolute path

4 participants

@pauloappbr @eskytthe @fuweid @k8s-ci-robot