setuid flag is lost in COPYed files

[clarity-jason]

Actual behavior

When a file with the setuid flag enabled is COPYed from one stage to another, the setuid flag is lost. This appears to be new behavior as of v1.8.0.

Expected behavior

All file mode flags/bits should be COPYed.

An example of when this is desired is fixuid.

To Reproduce

In this example, I use fixuid as the file under test. However, any executable would likely work.

1. Use the Dockerfile and build context noted in Additional Information, below. During the build process, the (pre-COPY) permissions are displayed as a sanity check.

2. For each kaniko image noted Additional Information, below, build the image.

3. Run the resulting image and check the file mode on the fixuid binary.

4. Here are the results from running the script across recent kaniko versions. Note that the first line of output is from the build itself (before the COPY), while the second line is from the subsequent docker run using the built image.

   # KANIKO_VERSION=1.6.0
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid
   -r-sr-xr-x 1 root root 3.7M May  6 12:50 /usr/local/bin/fixuid
   
   # KANIKO_VERSION=1.7.0
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid
   -r-sr-xr-x 1 root root 3.7M May  6 12:50 /usr/local/bin/fixuid
   
   # KANIKO_VERSION=1.8.0
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid
   -r-xr-xr-x 1 root root 3.7M May  6 12:51 /usr/local/bin/fixuid
   
   # KANIKO_VERSION=1.8.1
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid
   -r-xr-xr-x 1 root root 3.7M May  6 12:52 /usr/local/bin/fixuid

5. Verify the behavior with Docker:

   $ docker --version
   Docker version 20.10.7, build 20.10.7-0ubuntu5~18.04.3
   
   $ docker image build --tag localhost/test-kaniko:docker-20.10.7 --file ./Dockerfile ./context
   <snip>
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid
   <snip>
   
   $ docker container run --rm --entrypoint '' localhost/test-kaniko:docker-20.10.7 ls -lh /usr/local/bin/fixuid
   -r-sr-xr-x 1 root root 3.7M Jul 19  2021 /usr/local/bin/fixuid

A workaround is to set the file mode with a separate RUN command after the COPY. This does result in the setuid flag appearing in the image. However, I would expect the same functionality as Docker.

Additional Information

• Dockerfile:

  FROM docker.io/debian:bullseye-slim as base
  FROM base as build
  COPY ["fixuid-0.5.1-linux-amd64.tar.gz", "/tmp/fixuid.tar.gz"]
  RUN \
    set -eu; \
    tar -C /usr/local/bin -xz -f /tmp/fixuid.tar.gz; \
    chown root:root /usr/local/bin/fixuid; \
    chmod u=rxs,go=rx /usr/local/bin/fixuid; \
    ls -lh /usr/local/bin/fixuid
  FROM base as final
  COPY --from=build ["/usr/local/bin/fixuid", "/usr/local/bin/"]
  LABEL \
    description="Testing setuid behavior in Kaniko"

• Build Context:

  curl -fLsSO "https://github.com/boxboat/fixuid/releases/download/v0.5.1/fixuid-0.5.1-linux-amd64.tar.gz"

  (Any file would likely work; doesn't have to be fixuid.)

• Kaniko Image (fully qualified with digest):

  The following images were used in the tests above.

  gcr.io/kaniko-project/executor:v1.6.0-debug:
    sha256:fcccd2ab9f3892e33fc7f2e950c8e4fc665e7a4c66f6a9d70b300d7a2103592f
  gcr.io/kaniko-project/executor:v1.7.0-debug:
    sha256:88dacc7ea3f5c04709eae96776693c717869405364b19d6e78850fe54c63c6a2
  gcr.io/kaniko-project/executor:v1.8.0-debug:
    sha256:0d8408715c7bcc2dc747405936c0e72665cafb2357fb78e23eb71f90bc39624f
  gcr.io/kaniko-project/executor:v1.8.1-debug:
    sha256:3bc3f3a05f803cac29164ce12617a7be64931748c944f6c419565f500b65e8db

  1.8.0 and 1.8.1 exhibit the bug. 1.6.0 and 1.7.0 do not.

Triage Notes for the Maintainers

Description	Yes/No
Please check if this a new feature you are proposing
Please check if the build works in docker but not in kaniko
Please check if this error is seen when you use --cache flag
Please check if your dockerfile is a multistage dockerfile