libctr/init_linux: reorder chdir

commit 5e0e67d moved the chdir to be one of the first steps of finalizing the namespace of the container. However, this causes issues when the cwd is not accessible by the user running runc, but rather as the container user. Thus, setupUser has to happen before we call chdir. setupUser still happens before setting the caps, so the user should be privileged enough to mitigate the issues fixed in 5e0e67d Signed-off-by: Peter Hunt <pehunt@redhat.com>
haircommander · Jan 5, 2021 · b6bbbeb · b6bbbeb
1 parent 5101761
commit b6bbbeb
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/libcontainer/init_linux.go b/libcontainer/init_linux.go
@@ -126,12 +126,6 @@ func finalizeNamespace(config *initConfig) error {
 		return errors.Wrap(err, "close exec fds")
 	}
 
-	if config.Cwd != "" {
-		if err := unix.Chdir(config.Cwd); err != nil {
-			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
-		}
-	}
-
 	capabilities := &configs.Capabilities{}
 	if config.Capabilities != nil {
 		capabilities = config.Capabilities
@@ -153,6 +147,14 @@ func finalizeNamespace(config *initConfig) error {
 	if err := setupUser(config); err != nil {
 		return errors.Wrap(err, "setup user")
 	}
+	// Change working directory AFTER the user has been set up.
+	// Otherwise, if the cwd is also a volume that's been chowned to the container user (and not the user running runc),
+	// this command will EPERM.
+	if config.Cwd != "" {
+		if err := unix.Chdir(config.Cwd); err != nil {
+			return fmt.Errorf("chdir to cwd (%q) set in config.json failed: %v", config.Cwd, err)
+		}
+	}
 	if err := system.ClearKeepCaps(); err != nil {
 		return errors.Wrap(err, "clear keep caps")
 	}