fix(oci): apply absolute symlink resolution to /etc/group

pauloappbr · k8s-infra-cherrypick-robot · commit ee4179e5212c · 2026-03-12T08:38:15.000Z
This is a follow-up to PR #12732. As noted by @TheColorman, while the previous PR successfully resolved absolute symlinks pointing outside the mount root for /etc/passwd during user lookups, the same logic was missing for group lookups. This caused `openat etc/group: path escapes from parent` errors when /etc/group was also an absolute symlink (e.g., in NixOS environments). This patch updates GIDFromFS, getSupplementalGroupsFromFS, and WithAppendAdditionalGroups to use the openUserFile helper, ensuring absolute symlinks are correctly re-anchored across all OCI user/group resolution paths. Includes unit test for validation. Fixes #12683 Signed-off-by: Paulo Oliveira <paulo.hco47@gmail.com>
diff --git a/pkg/oci/spec_opts.go b/pkg/oci/spec_opts.go
@@ -963,7 +963,7 @@ func WithAppendAdditionalGroups(groups ...string) SpecOpts {
 			defer ensureAdditionalGids(s)
 
 			var ugroups []user.Group
-			f, groupErr := root.Open("etc/group")
+			f, groupErr := openUserFile(root, "etc/group")
 			if groupErr == nil {
 				defer f.Close()
 				ugroups, groupErr = user.ParseGroup(f)
@@ -1191,7 +1191,7 @@ func GIDFromFS(root fs.FS, filter func(user.Group) bool) (gid uint32, err error)
 }
 
 func getSupplementalGroupsFromFS(root fs.FS, filter func(user.Group) bool) ([]uint32, error) {
-	f, err := root.Open("etc/group")
+	f, err := openUserFile(root, "etc/group")
 	if err != nil {
 		return []uint32{}, err
 	}
diff --git a/pkg/oci/spec_test.go b/pkg/oci/spec_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/containerd/containerd/v2/pkg/testutil"
 	"github.com/containerd/continuity/fs/fstest"
+	"github.com/moby/sys/user"
 	"github.com/opencontainers/runtime-spec/specs-go"
 )
 
@@ -374,6 +375,49 @@ func TestOpenUserFile_AbsoluteSymlink(t *testing.T) {
 	}
 }
 
+func TestGroupLookup_AbsoluteSymlink(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("absolute symlink handling is only supported on non-Windows platforms")
+	}
+
+	expectedContent := []byte("dummygroup:x:1001:paulo\n")
+
+	root := t.TempDir()
+	if err := fstest.Apply(
+		fstest.CreateDir("/etc", 0o755),
+		fstest.CreateDir("/nix/store/abcd", 0o755),
+		fstest.CreateFile("/nix/store/abcd/group", expectedContent, 0o644),
+		fstest.Symlink("/nix/store/abcd/group", "/etc/group"),
+	).Apply(root); err != nil {
+		t.Fatal(err)
+	}
+
+	rootFS := os.DirFS(root)
+	if _, ok := rootFS.(readLinker); !ok {
+		rootFS = readLinkFS{root: root, fs: rootFS}
+	}
+
+	gid, err := GIDFromFS(rootFS, func(g user.Group) bool {
+		return g.Name == "dummygroup"
+	})
+	if err != nil {
+		t.Fatalf("GIDFromFS failed on absolute symlink: %v", err)
+	}
+	if gid != 1001 {
+		t.Errorf("expected GID 1001, got %d", gid)
+	}
+
+	gids, err := getSupplementalGroupsFromFS(rootFS, func(g user.Group) bool {
+		return g.Name == "dummygroup"
+	})
+	if err != nil {
+		t.Fatalf("getSupplementalGroupsFromFS failed on absolute symlink: %v", err)
+	}
+	if len(gids) != 1 || gids[0] != 1001 {
+		t.Errorf("expected supplemental GIDs [1001], got %v", gids)
+	}
+}
+
 // Helpers for testing ReadLink support
 type readLinkFS struct {
 	root string
