Failing to chown

[anderspitman]

Hey there. I'm trying to extract the alpine:3.15.2 docker image rootfs using the following config:

{
  "Name": "alpine:3.15.2",
  "Spec": {
    "Dest": "./out"
  }
}

It's failing with the following error:

ERROR	Failed to extract rootfs: chown out/rootfs/etc/shadow: operation not permitted

The reason is because /etc/shadow from the tar file is owned by the shadow group, which has id 42, which when combined with this line results in a gid my user doesn't have permissions to chown to.

Is there any way to run rootfs_builder as an unprivileged user? I'm assuming this would require using the users uid/gid for all the files in the tree. Not sure if this would cause other issues?

[basilgello]

This works for me:

diff --git a/main.go b/main.go
index 2bccf55..0a5e158 100644
--- a/main.go
+++ b/main.go
@@ -8,10 +8,15 @@ import (
 )
 
 func main() {
-	if len(os.Args) > 3 || len(os.Args) < 2 {
+	var chown bool = true
+	if len(os.Args) > 4 || len(os.Args) < 2 {
 		log.Fatal("Usage: rootfs_builder <config.json>\n" +
+			"\t\t\t\t\t--no-chown: do not change file ownership\n" +
 			"\t\t\t\t\t--digest-only: only print the digest")
 	}
+	if os.Args[2] == "--no-chown" {
+		chown = false
+	}
 	// Initialize pullable image from config
 	pullableImage, err := rootfs.NewPullableImage(os.Args[1])
 	if err != nil {
@@ -25,8 +30,8 @@ func main() {
 	}
 
 	// Extract rootfs
-	if len(os.Args) == 2 {
-		err = pulledManifest.Extract()
+	if os.Args[2] != "--digest-only"  {
+		err = pulledManifest.Extract(chown)
 		if err != nil {
 			log.Errorf("Failed to extract rootfs: %+v", err)
 			os.Exit(1)
diff --git a/rootfs/extract.go b/rootfs/extract.go
index ca932b4..d2c6f00 100644
--- a/rootfs/extract.go
+++ b/rootfs/extract.go
@@ -24,7 +24,7 @@ import (
 )
 
 // extract a single file
-func extractFile(dest string, hdr *tar.Header, tr io.Reader, subuid int, subgid int) error {
+func extractFile(dest string, hdr *tar.Header, tr io.Reader, subuid int, subgid int, chown bool) error {
 	// Construct filepath from tar header
 	path := filepath.Join(dest, filepath.Clean(hdr.Name))
 	dir := filepath.Dir(path)
@@ -60,8 +60,10 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader, subuid int, subgid
 		if _, err = io.Copy(currFile, tr); err != nil {
 			return err
 		}
-		if err = currFile.Chown(uid, gid); err != nil {
-			return err
+		if chown {
+			if err = currFile.Chown(uid, gid); err != nil {
+				return err
+			}
 		}
 		currFile.Close()
 	case tar.TypeDir:
@@ -72,8 +74,10 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader, subuid int, subgid
 		if err := os.Chmod(path, mode); err != nil {
 			return err
 		}
-		if err := os.Chown(path, uid, gid); err != nil {
-			return err
+		if chown {
+			if err := os.Chown(path, uid, gid); err != nil {
+				return err
+			}
 		}
 
 	// Hard link: Two files point to same data on disc.  Assume OFS/Docker orders tarball such
@@ -111,8 +115,10 @@ func extractFile(dest string, hdr *tar.Header, tr io.Reader, subuid int, subgid
 		if err := os.Symlink(hdr.Linkname, path); err != nil {
 			return err
 		}
-		if err := os.Lchown(path, uid, gid); err != nil {
-			return err
+		if chown {
+			if err := os.Lchown(path, uid, gid); err != nil {
+				return err
+			}
 		}
 	}
 	return nil
@@ -152,7 +158,7 @@ func whiteout(tr *tar.Reader, rootfs string) error {
 }
 
 // Handle regular files
-func handleFiles(tr *tar.Reader, rootfs string, subuid int, subgid int) error {
+func handleFiles(tr *tar.Reader, rootfs string, subuid int, subgid int, chown bool) error {
 	// Iterate through the headers, extracting regular files
 	for {
 		hdr, err := tr.Next()
@@ -170,7 +176,7 @@ func handleFiles(tr *tar.Reader, rootfs string, subuid int, subgid int) error {
 		if strings.HasPrefix(base, ".wh.") {
 			continue
 		}
-		if err := extractFile(rootfs, hdr, tr, subuid, subgid); err != nil {
+		if err := extractFile(rootfs, hdr, tr, subuid, subgid, chown); err != nil {
 			return err
 		}
 	}
@@ -216,7 +222,7 @@ func saveLayer(layer v1.Layer) (*os.File, error) {
 
 // extractLayer accepts an open file descriptor to tarball and the destianation
 // to extract the rootfs to
-func extractLayer(layer v1.Layer, rootfs string, subuid int, subgid int) error {
+func extractLayer(layer v1.Layer, rootfs string, subuid int, subgid int, chown bool) error {
 	digest, err := layer.Digest()
 	if err != nil {
 		return err
@@ -250,7 +256,7 @@ func extractLayer(layer v1.Layer, rootfs string, subuid int, subgid int) error {
 	}
 
 	log.Debugf("Extracting layer %s", digest)
-	err = handleFiles(tr, rootfs, subuid, subgid)
+	err = handleFiles(tr, rootfs, subuid, subgid, chown)
 	if err != nil {
 		return err
 	}
diff --git a/rootfs/image.go b/rootfs/image.go
index 1dc83df..93c2b40 100644
--- a/rootfs/image.go
+++ b/rootfs/image.go
@@ -57,7 +57,7 @@ func (pulledImg *PulledImage) Digest() (string, error) {
 }
 
 // Extract rootfs
-func (pulledImg *PulledImage) Extract() error {
+func (pulledImg *PulledImage) Extract(chown bool) error {
 	// Ensure we have a valid location to extract to
 	err := pulledImg.validateDest()
 	if err != nil {
@@ -87,14 +87,16 @@ func (pulledImg *PulledImage) Extract() error {
 
 	// Extract the layers
 	for _, layer := range layers {
-		err = extractLayer(layer, rootfsPath, pulledImg.spec.subuid, pulledImg.spec.subgid)
+		err = extractLayer(layer, rootfsPath, pulledImg.spec.subuid, pulledImg.spec.subgid, chown)
 		if err != nil {
 			return err
 		}
 	}
 
-	if err := os.Chown(rootfsPath, pulledImg.spec.subuid, pulledImg.spec.subuid); err != nil {
-		return err
+	if chown {
+		if err := os.Chown(rootfsPath, pulledImg.spec.subuid, pulledImg.spec.subuid); err != nil {
+			return err
+		}
 	}
 
 	return nil