Test no escalate in exec

docker/.gitignore

@@ -1,2 +1,3 @@
 /fs-stage/usr/local/bin/fixuid
+/fs-stage/usr/local/bin/test-no-escalate
 stage

test-no-escalate/.gitignore

@@ -0,0 +1 @@
+/test-no-escalate

test-no-escalate/build.sh

@@ -0,0 +1,5 @@
+#!/bin/sh -e
+cd "$(dirname "$0")"
+
+rm -f ./test-no-escalate
+CGO_ENABLED=0 go build

test-no-escalate/test-no-escalate.go

@@ -0,0 +1,37 @@
+package main
+
+import (
+	"log"
+	"os"
+	"syscall"
+)
+
+var logger = log.New(os.Stderr, "", 0)
+
+func main() {
+	logger.SetPrefix("test-no-escalate: ")
+
+	logger.Printf("Current UID: %d, GID: %d", os.Getuid(), os.Getgid())
+	logger.Printf("Current EUID: %d, EGID: %d", os.Geteuid(), os.Getegid())
+
+	// Test that both seteuid(0) and setegid(0) fail as expected
+	euidError := syscall.Seteuid(0)
+	egidError := syscall.Setegid(0)
+
+	if euidError != nil && egidError != nil {
+		logger.Printf("Got expected error when setting EUID to 0: %v", euidError)
+		logger.Printf("Got expected error when setting EGID to 0: %v", egidError)
+		// This is the expected behavior - exit with success
+		os.Exit(0)
+	} else {
+		// At least one of them succeeded, which is a security vulnerability
+		if euidError == nil {
+			logger.Printf("ERROR: Successfully set EUID to 0. New EUID: %d", os.Geteuid())
+		}
+		if egidError == nil {
+			logger.Printf("ERROR: Successfully set EGID to 0. New EGID: %d", os.Getegid())
+		}
+		// Exit with failure
+		os.Exit(1)
+	}
+}

test.sh

@@ -2,14 +2,21 @@
 cd $(dirname $0)
 set -e
 
+# build fixuid
 ./build.sh
 mv fixuid docker/fs-stage/usr/local/bin
+
+# build test-no-escalate
+./test-no-escalate/build.sh
+mv test-no-escalate/test-no-escalate docker/fs-stage/usr/local/bin
+
 rm -rf docker/alpine/stage
 cp -r docker/fs-stage docker/alpine/stage
 rm -rf docker/centos/stage
 cp -r docker/fs-stage docker/centos/stage
 rm -rf docker/debian/stage
 cp -r docker/fs-stage docker/debian/stage
+
 docker compose build
 
 echo "\nalpine default user/group cmd"
@@ -110,6 +117,13 @@ docker run --rm --entrypoint fixuid fixuid-centos -q fixuid-test.sh docker docke
 echo "\ndebian quiet entrypoint"
 docker run --rm --entrypoint fixuid fixuid-debian -q fixuid-test.sh docker docker 'docker users'
 
+echo "\nalpine test no escalate"
+docker run --rm --entrypoint fixuid fixuid-alpine test-no-escalate
+echo "\ncentos test no escalate"
+docker run --rm --entrypoint fixuid fixuid-centos test-no-escalate
+echo "\ndebian test no escalate"
+docker run --rm --entrypoint fixuid fixuid-debian test-no-escalate
+
 printf "\npaths:\n  - /\n  - /home/docker\n  - /tmp/space dir\n  - /does/not/exist" >> docker/alpine/stage/etc/fixuid/config.yml
 printf "\npaths:\n  - /\n  - /home/docker\n  - /tmp/space dir\n  - /does/not/exist" >> docker/centos/stage/etc/fixuid/config.yml
 printf "\npaths:\n  - /\n  - /home/docker\n  - /tmp/space dir\n  - /does/not/exist" >> docker/debian/stage/etc/fixuid/config.yml