core/src/main/java/org/testcontainers/utility/MountableFile.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -356,6 +356,10 @@ private void recursiveTar( @@
                 // TarArchiveEntry automatically sets the mode for file/directory, but we can update to ensure that the mode is set exactly (inc executable bits)
                 tarEntry.setMode(getUnixFileMode(itemPath));
+                // Avoid propagating host UID/GID into containers. This is important for rootless Docker setups
+                // where host IDs may be unmapped and cause permission issues after copyArchiveToContainer.
+                tarEntry.setUserId(0);
+                tarEntry.setGroupId(0);
                 tarArchive.putArchiveEntry(tarEntry);
                 if (sourceFile.isFile()) {
@@ Expand Down @@

core/src/test/java/org/testcontainers/utility/MountableFileTest.java

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ @@
     import lombok.Cleanup;
     import org.apache.commons.compress.archivers.ArchiveEntry;
+    import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
     import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
     import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
     import org.jetbrains.annotations.NotNull;
@@ Expand Down Expand Up / @@ -131,6 +132,20 @@ void noTrailingSlashesInTarEntryNames() throws Exception { @@
             }
         }
+        @Test
+        void tarEntriesShouldUseRootOwnership() throws Exception {
+            final Path file = createTempFile("owner-check.txt");
+            final MountableFile mountableFile = MountableFile.forHostPath(file.toString());
+            @Cleanup
+            final TarArchiveInputStream tais = intoTarArchive(taos -> mountableFile.transferTo(taos, "/owner-check.txt"));
+            final TarArchiveEntry entry = tais.getNextTarEntry();
+            assertThat(entry).isNotNull();
+            assertThat(entry.getLongUserId()).as("tar user id should not leak host uid").isZero();
+            assertThat(entry.getLongGroupId()).as("tar group id should not leak host gid").isZero();
+        }
         private TarArchiveInputStream intoTarArchive(Consumer<TarArchiveOutputStream> consumer) throws IOException {
             @Cleanup
             final ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ Expand Down @@

Fix host UID/GID leakage in copyFileToContainer TAR entries #11488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

ym0506 wants to merge 1 commit into testcontainers:main from ym0506:codex/fix-copyfile-owner-rootless-clean

+19 −0

-Original file line number
+Diff line change
@@ Expand Up / @@ -356,6 +356,10 @@ private void recursiveTar( @@
                 // TarArchiveEntry automatically sets the mode for file/directory, but we can update to ensure that the mode is set exactly (inc executable bits)
                 tarEntry.setMode(getUnixFileMode(itemPath));
+                // Avoid propagating host UID/GID into containers. This is important for rootless Docker setups
+                // where host IDs may be unmapped and cause permission issues after copyArchiveToContainer.
+                tarEntry.setUserId(0);
+                tarEntry.setGroupId(0);
                 tarArchive.putArchiveEntry(tarEntry);
                 if (sourceFile.isFile()) {
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -2,6 +2,7 @@ @@
     import lombok.Cleanup;
     import org.apache.commons.compress.archivers.ArchiveEntry;
+    import org.apache.commons.compress.archivers.tar.TarArchiveEntry;
     import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
     import org.apache.commons.compress.archivers.tar.TarArchiveOutputStream;
     import org.jetbrains.annotations.NotNull;
@@ Expand Down Expand Up / @@ -131,6 +132,20 @@ void noTrailingSlashesInTarEntryNames() throws Exception { @@
             }
         }
+        @Test
+        void tarEntriesShouldUseRootOwnership() throws Exception {
+            final Path file = createTempFile("owner-check.txt");
+            final MountableFile mountableFile = MountableFile.forHostPath(file.toString());
+            @Cleanup
+            final TarArchiveInputStream tais = intoTarArchive(taos -> mountableFile.transferTo(taos, "/owner-check.txt"));
+            final TarArchiveEntry entry = tais.getNextTarEntry();
+            assertThat(entry).isNotNull();
+            assertThat(entry.getLongUserId()).as("tar user id should not leak host uid").isZero();
+            assertThat(entry.getLongGroupId()).as("tar group id should not leak host gid").isZero();
+        }
         private TarArchiveInputStream intoTarArchive(Consumer<TarArchiveOutputStream> consumer) throws IOException {
             @Cleanup
             final ByteArrayOutputStream baos = new ByteArrayOutputStream();
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix host UID/GID leakage in copyFileToContainer TAR entries #11488

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Fix host UID/GID leakage in copyFileToContainer TAR entries #11488

Are you sure you want to change the base?

Fix host UID/GID leakage in copyFileToContainer TAR entries #11488

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing