GoogleContainerTools · thesayyn · Feb 21, 2024 · Feb 20, 2024
diff --git a/distroless/private/home.bzl b/distroless/private/home.bzl
@@ -16,7 +16,13 @@ def home(name, dirs, **kwargs):
 
     for home in dirs:
         mtree.extend(
-            tar_lib.mtree.add_directory_with_parents(home["home"], uid = str(home["uid"]), gid = str(home["gid"])),
+            tar_lib.mtree.add_directory_with_parents(
+                home["home"],
+                uid = str(home["uid"]),
+                gid = str(home["gid"]),
+                # the default matches https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L81C24-L81C27
+                mode = getattr(home, "gid", "700"),
+            ),
         )
 
     tar(

diff --git a/distroless/private/passwd.bzl b/distroless/private/passwd.bzl
@@ -5,7 +5,9 @@ load("@aspect_bazel_lib//lib:tar.bzl", "tar")
 load("@aspect_bazel_lib//lib:utils.bzl", "propagate_common_rule_attributes")
 load("@bazel_skylib//rules:write_file.bzl", "write_file")
 
-def passwd(name, passwds, **kwargs):
+# WARNING: the mode `0o644` is important
+# See: https://github.com/bazelbuild/rules_docker/blob/3040e1fd74659a52d1cdaff81359f57ee0e2bb41/contrib/passwd.bzl#L149C54-L149C57
+def passwd(name, passwds, mode = "644", **kwargs):
     """
     Create a passwd file from array of dicts.
 
@@ -20,6 +22,7 @@ def passwd(name, passwds, **kwargs):
             ```
             dict(gid = 0, uid = 0, home = "/root", shell = "/bin/bash", username = "root")
             ```
+        mode: the mode bits for the passwd file
         **kwargs: other named arguments to expanded targets. see [common rule attributes](https://bazel.build/reference/be/common-definitions#common-attributes).
     """
     common_kwargs = propagate_common_rule_attributes(kwargs)
@@ -50,11 +53,12 @@ def passwd(name, passwds, **kwargs):
         stamp = 0,
         template = [
             "#mtree",
-            "./etc/passwd uid=0 gid=0 mode=0700 time=0 type=file content={content}",
+            "./etc/passwd uid=0 gid=0 mode={mode} time=0 type=file content={content}",
             "",
         ],
         substitutions = {
             "{content}": "$(BINDIR)/$(rootpath :%s_content)" % name,
+            "{mode}": mode,
         },
         **common_kwargs
     )

diff --git a/distroless/private/tar.bzl b/distroless/private/tar.bzl
@@ -45,7 +45,7 @@ def _add_file_with_parents(path, file):
     return lines
 
 def _add_directory_with_parents(path, **kwargs):
-    lines = _add_parents(path)
+    lines = _add_parents(path, **kwargs)
     lines.append(_mtree_line(path, "dir", **kwargs))
     return lines
 

diff --git a/docs/rules.md b/docs/rules.md
diff --git a/examples/flatten/BUILD.bazel b/examples/flatten/BUILD.bazel
@@ -52,15 +52,15 @@ assert_tar_listing(
     actual = "flatten",
     expected = """\
 #mtree
-./etc/passwd nlink=0 time=0.0 mode=700 gid=0 uid=0 type=file size=33 cksum=3891093834 sha1digest=94f013494b98f8ed618ce2e670d405f818ec3915
+./etc/passwd nlink=0 time=0.0 mode=644 gid=0 uid=0 type=file size=33 cksum=3891093834 sha1digest=94f013494b98f8ed618ce2e670d405f818ec3915
 ./examples time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir/changelog nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=0 cksum=4294967295 sha1digest=da39a3ee5e6b4b0d3255bfef95601890afd80709
 ./examples/flatten/dir/sub time=1672560000.0 mode=755 gid=0 uid=0 type=dir
 ./examples/flatten/dir/sub/content.txt nlink=0 time=1672560000.0 mode=755 gid=0 uid=0 type=file size=0 cksum=4294967295 sha1digest=da39a3ee5e6b4b0d3255bfef95601890afd80709
-./home time=0.0 mode=755 gid=0 uid=0 type=dir
-./home/nonroot time=0.0 mode=755 gid=666 uid=666 type=dir
-./root time=0.0 mode=755 gid=0 uid=0 type=dir
+./home time=0.0 mode=700 gid=666 uid=666 type=dir
+./home/nonroot time=0.0 mode=700 gid=666 uid=666 type=dir
+./root time=0.0 mode=700 gid=0 uid=0 type=dir
 """,
 )
diff --git a/examples/home/BUILD.bazel b/examples/home/BUILD.bazel
@@ -22,8 +22,8 @@ assert_tar_listing(
     actual = "home",
     expected = """\
 #mtree
-./home time=0.0 mode=755 gid=0 uid=0 type=dir
-./home/nonroot time=0.0 mode=755 gid=666 uid=666 type=dir
-./root time=0.0 mode=755 gid=0 uid=0 type=dir
+./home time=0.0 mode=700 gid=666 uid=666 type=dir
+./home/nonroot time=0.0 mode=700 gid=666 uid=666 type=dir
+./root time=0.0 mode=700 gid=0 uid=0 type=dir
 """,
 )
diff --git a/examples/passwd/BUILD.bazel b/examples/passwd/BUILD.bazel
@@ -27,6 +27,6 @@ assert_tar_listing(
     actual = "passwd",
     expected = """\
 #mtree
-./etc/passwd nlink=0 time=0.0 mode=700 gid=0 uid=0 type=file size=35 cksum=2298809208 sha1digest=31ad675c1210fd0413dd9b2441aaaf13c18d1547
+./etc/passwd nlink=0 time=0.0 mode=644 gid=0 uid=0 type=file size=35 cksum=2298809208 sha1digest=31ad675c1210fd0413dd9b2441aaaf13c18d1547
 """,
 )