Merge pull request #4099 from ark-j/main

AkihiroSuda · web-flow · commit 9570d200dd52 · 2025-04-13T03:41:17.000+09:00
Fix stopping container when setup using setuid bit
diff --git a/cmd/nerdctl/main.go b/cmd/nerdctl/main.go
@@ -190,7 +190,6 @@ func initRootCmdFlags(rootCmd *cobra.Command, tomlPath string) (*pflag.FlagSet,
 }
 
 func newApp() (*cobra.Command, error) {
-
 	tomlPath := ncdefaults.NerdctlTOML()
 	if v, ok := os.LookupEnv("NERDCTL_TOML"); ok {
 		tomlPath = v
@@ -217,6 +216,10 @@ Config file ($NERDCTL_TOML): %s
 		return nil, err
 	}
 
+	if err := resetSavedSETUID(); err != nil {
+		return nil, err
+	}
+
 	rootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {
 		globalOptions, err := helpers.ProcessRootCmdFlags(cmd)
 		if err != nil {
diff --git a/cmd/nerdctl/main_freebsd.go b/cmd/nerdctl/main_freebsd.go
@@ -27,3 +27,8 @@ func appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {
 func addApparmorCommand(rootCmd *cobra.Command) {
 	// NOP
 }
+
+func resetSavedSETUID() error {
+	// NOP
+	return nil
+}
diff --git a/cmd/nerdctl/main_linux.go b/cmd/nerdctl/main_linux.go
@@ -18,6 +18,7 @@ package main
 
 import (
 	"github.com/spf13/cobra"
+	"golang.org/x/sys/unix"
 
 	"github.com/containerd/nerdctl/v2/cmd/nerdctl/apparmor"
 	"github.com/containerd/nerdctl/v2/pkg/rootlessutil"
@@ -66,3 +67,18 @@ func appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {
 func addApparmorCommand(rootCmd *cobra.Command) {
 	rootCmd.AddCommand(apparmor.Command())
 }
+
+// resetSavedSETUID drops the saved UID of a setuid-root process to the original real UID.
+// This ensures the process cannot regain root privileges later.
+// It only performs the operation if the process is currently running with effective UID 0 (root)
+// and was started by a non-root user (i.e., real UID != effective UID).
+// For more info see issue https://github.com/containerd/nerdctl/issues/4098
+func resetSavedSETUID() error {
+	var err error
+	uid := unix.Getuid()
+	euid := unix.Geteuid()
+	if uid != euid && euid == 0 {
+		err = unix.Setresuid(0, 0, uid)
+	}
+	return err
+}
diff --git a/cmd/nerdctl/main_windows.go b/cmd/nerdctl/main_windows.go
@@ -27,3 +27,8 @@ func appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {
 func addApparmorCommand(rootCmd *cobra.Command) {
 	// NOP
 }
+
+func resetSavedSETUID() error {
+	// NOP
+	return nil
+}

Original file line number	Diff line number	Diff line change
`@@ -27,3 +27,8 @@ func appNeedsRootlessParentMain(cmd *cobra.Command, args []string) bool {`
`27`	`27`	`func addApparmorCommand(rootCmd *cobra.Command) {`
`28`	`28`	`// NOP`
`29`	`29`	`}`
	`30`	`+`
	`31`	`+func resetSavedSETUID() error {`
	`32`	`+ // NOP`
	`33`	`+ return nil`
	`34`	`+}`