inaccurate return code / broken error propagation
example: broken error propagation
Trigger exit codes do not appear to bubble up to calling applications, even if internally the broken_script
flag is set.
In this example, we run one command that does not require elevated permissions, and one that does.
/ # adduser -D foo && cd /home/foo && su foo
~ $ mkdir x && apk add --root x --initdb && cp /etc/apk/repositories x/etc/apk
OK: 0 MiB in 0 packages
~ $ apk add --root x musl --allow-untrusted; echo $?
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/1) Installing musl (1.2.4-r2)
OK: 0 MiB in 1 packages
0
~ $ apk add --root x mandoc --allow-untrusted; echo $?
(1/2) Installing zlib (1.2.13-r1)
(2/2) Installing mandoc (1.14.6-r8)
ERROR: 4 errors updating directory permissions
OK: 1 MiB in 3 packages
0
example: inaccurate return code
The apk
return code may be inaccurate under certain circumstances, as it appears to rely on a combination of application runtime state as well as database state.
In this example, we run the same (problematic) command twice in a row. Under some circumstances, zero may be returned the first time, and a nonzero value on subsequent invocations.
/ # adduser -D foo && cd /home/foo && su foo
~ $ mkdir x && apk add --root x --initdb && cp /etc/apk/repositories x/etc/apk
OK: 0 MiB in 0 packages
~ $ apk add --root x ca-certificates --allow-untrusted; echo $?
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.18/community/x86_64/APKINDEX.tar.gz
(1/5) Installing musl (1.2.4-r2)
(2/5) Installing busybox (1.36.1-r5)
Executing busybox-1.36.1-r5.post-install
ERROR: busybox-1.36.1-r5.post-install: chroot: Operation not permitted
ERROR: busybox-1.36.1-r5.post-install: script exited with error 127
(3/5) Installing busybox-binsh (1.36.1-r5)
(4/5) Installing libcrypto3 (3.1.4-r1)
(5/5) Installing ca-certificates (20230506-r0)
ERROR: 33 errors updating directory permissions
Executing busybox-1.36.1-r5.trigger
ERROR: busybox-1.36.1-r5.trigger: chroot: Operation not permitted
ERROR: busybox-1.36.1-r5.trigger: script exited with error 127
Executing ca-certificates-20230506-r0.trigger
ERROR: ca-certificates-20230506-r0.trigger: chroot: Operation not permitted
ERROR: ca-certificates-20230506-r0.trigger: script exited with error 127
1 error; 6 MiB in 5 packages
1
~ $ apk add --root x ca-certificates --allow-untrusted; echo $?
2 errors; 6 MiB in 5 packages
2