Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: give grpcurl sane user/group #158

Merged
merged 1 commit into from
Mar 21, 2024
Merged

fix: give grpcurl sane user/group #158

merged 1 commit into from
Mar 21, 2024

Conversation

quadespresso
Copy link
Contributor

Background

/usr/local/bin/grpcurl is installed with UID/GID of 708061865/708061865:

 80c75558f0a4  ~  stat /usr/local/bin/grpcurl 
  File: /usr/local/bin/grpcurl
  Size: 24027136  	Blocks: 46936      IO Block: 4096   regular file
Device: 6ah/106d	Inode: 33873716    Links: 1
Access: (0755/-rwxr-xr-x)  Uid: (708061865/ UNKNOWN)   Gid: (708061865/ UNKNOWN)
Access: 2023-10-24 17:14:57.000000000 +0000
Modify: 2023-10-24 17:14:57.000000000 +0000
Change: 2024-02-16 17:40:28.913486261 +0000

as reported in issue #157.

This appears to be the result of the contents of the upstream tarball.

A quick look shows that every other binary in /usr/bin, /usr/sbin, and /usr/local/bin have a UID/GID of 0/0, except for /usr/local/bin/termshark which is 1000/1000 (and /usr/bin/wall group of tty, which we can ignore). I felt reasonably confident that setting grpcurl to 0/0 would be acceptable in this scenario.

The likely preferable approach would be to get this corrected in the upstream repo: https://github.com/fullstorydev/grpcurl

Fix

  • use chown to enforce UID/GID of root/root

Trivial smoke test

Build new image and run it, then:

 8139862a6a48  ~  ll /usr/local/bin/grpcurl
-rwxr-xr-x    1 root     root       22.9M Oct 24 17:14 /usr/local/bin/grpcurl

 8139862a6a48  ~  grpcurl -version         
grpcurl v1.8.9

@quadespresso quadespresso mentioned this pull request Feb 16, 2024
Closed
@nicolaka nicolaka merged commit 4dfb45a into nicolaka:master Mar 21, 2024
1 check passed
@quadespresso quadespresso deleted the chown-grpcurl branch March 21, 2024 17:59
@dezza
Copy link
Contributor

dezza commented Apr 4, 2024

@quadespresso @nicolaka Actually I think this issue starts earlier already when building (at least for me with buildah/podman)

2024-04-04 09:48:12 (10.9 MB/s) - '/tmp/grpcurl.tar.gz' saved [7706522/7706522]

tar: LICENSE: Cannot change ownership to uid 708061865, gid 708061865: Invalid argument
tar: grpcurl: Cannot change ownership to uid 708061865, gid 708061865: Invalid argument
tar: Exiting with failure status due to previous errors
chown: cannot access '/tmp/grpcurl': No such file or directory
Error: building at STEP "RUN /tmp/fetch_binaries.sh": while running runtime: exit status 1

I have opened a new pull request to change the tar extract command to include --no-same-owner which incl both UID/GID.

dezza added a commit to dezza/netshoot that referenced this pull request Apr 4, 2024
@dezza
fix: tar grpcurl permissions
2b14cfb 
nicolaka#158

grpcurl tar includes some wild UID/GID numbers that can't map to subuid/subgid.
```
2024-04-04 09:48:12 (10.9 MB/s) - '/tmp/grpcurl.tar.gz' saved [7706522/7706522]

tar: LICENSE: Cannot change ownership to uid 708061865, gid 708061865: Invalid argument
tar: grpcurl: Cannot change ownership to uid 708061865, gid 708061865: Invalid argument
tar: Exiting with failure status due to previous errors
chown: cannot access '/tmp/grpcurl': No such file or directory
Error: building at STEP "RUN /tmp/fetch_binaries.sh": while running runtime: exit status 1
```
@dezza dezza mentioned this pull request Apr 4, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@quadespresso @dezza @nicolaka