Merge pull request #283 from HackAttack/disable-userns-remap-for-chown

pzeballos · web-flow · commit 0e667fe69d20 · 2026-01-22T18:28:14.000-03:00
Disable namespace remapping for chown cleanup
diff --git a/README.md b/README.md
@@ -355,6 +355,8 @@ Whether to `chown` the directory mounted with `mount-checkout` to the Buildkite
 
 Prefer using `propagate-uid-gid` over this option, as the `chown`–which can take some time if your checkout is of considerable size—is likely not needed at all in that case.
 
+**Security**: This option runs a container with [user namespace remapping disabled](https://docs.docker.com/reference/cli/docker/container/run/#userns).
+
 Default: `false`
 
 ### `chown-image` (optional, string)
diff --git a/hooks/pre-exit b/hooks/pre-exit
@@ -14,6 +14,6 @@ if [[ "${BUILDKITE_PLUGIN_DOCKER_CLEANUP:-true}" =~ ^(true|on|1)$ ]] ; then
 fi
 
 if ! is_windows && [[ "${BUILDKITE_PLUGIN_DOCKER_MOUNT_CHECKOUT:-true}" =~ ^(true|on|1)$ ]] && [[ "${BUILDKITE_PLUGIN_DOCKER_CHOWN:-false}" =~ ^(true|on|1)$ ]] ; then
-  docker run --rm -v "$PWD":"$PWD" "${BUILDKITE_PLUGIN_DOCKER_CHOWN_IMAGE:-busybox}" chown -Rh "$(id -u):$(id -g)" "$PWD"
+  docker run --rm -v "$PWD":"$PWD" --userns host "${BUILDKITE_PLUGIN_DOCKER_CHOWN_IMAGE:-busybox}" chown -Rh "$(id -u):$(id -g)" "$PWD"
 fi
 
diff --git a/tests/pre-exit.bats b/tests/pre-exit.bats
@@ -6,7 +6,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   export BUILDKITE_PLUGIN_DOCKER_CHOWN=true
 
   stub docker \
-    "run --rm -v $PWD:$PWD busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
+    "run --rm -v $PWD:$PWD --userns host busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
 
   run "$PWD"/hooks/pre-exit
 
@@ -20,7 +20,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   unset BUILDKITE_PLUGIN_DOCKER_CHOWN
 
   stub docker \
-    "run --rm -v $PWD:$PWD busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
+    "run --rm -v $PWD:$PWD --userns host busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
 
   run "$PWD"/hooks/pre-exit
 
@@ -35,7 +35,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   export BUILDKITE_PLUGIN_DOCKER_MOUNT_CHECKOUT=false
 
   stub docker \
-    "run --rm -v $PWD:$PWD busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
+    "run --rm -v $PWD:$PWD --userns host busybox chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
 
   run "$PWD"/hooks/pre-exit
 
@@ -50,7 +50,7 @@ load "${BATS_PLUGIN_PATH}/load.bash"
   export BUILDKITE_PLUGIN_DOCKER_CHOWN_IMAGE=some-image
 
   stub docker \
-    "run --rm -v $PWD:$PWD some-image chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
+    "run --rm -v $PWD:$PWD --userns host some-image chown -Rh $(id -u):$(id -g) $PWD : echo cleaned"
 
   run "$PWD"/hooks/pre-exit
 
