From cc2cfe56305ac53c43c447e4345cdc3dc767ba22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Fri, 3 Nov 2023 14:30:24 +0100
Subject: [PATCH] don't chown mountpoint if already correct

This avoids issues where directory might be bind mounted.
---
 pkgs/sops-install-secrets/linux.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/pkgs/sops-install-secrets/linux.go b/pkgs/sops-install-secrets/linux.go
index 634eac8..523f1bc 100644
--- a/pkgs/sops-install-secrets/linux.go
+++ b/pkgs/sops-install-secrets/linux.go
@@ -34,6 +34,15 @@ func SecureSymlinkChown(symlinkToCheck, expectedTarget string, owner, group int)
 	if n > len(expectedTarget) || string(buf[:n]) != expectedTarget {
 		return fmt.Errorf("symlink %s does not point to %s", symlinkToCheck, expectedTarget)
 	}
+	stat := unix.Stat_t{}
+	err = unix.Fstat(fd, &stat)
+	if err != nil {
+		return fmt.Errorf("cannot stat '%s': %w", symlinkToCheck, err)
+	}
+	if stat.Uid == uint32(owner) || stat.Gid == uint32(group) {
+		return nil // already correct
+	}
+
 	err = unix.Fchownat(fd, "", owner, group, unix.AT_EMPTY_PATH)
 	if err != nil {
 		return fmt.Errorf("cannot change owner of '%s' to %d/%d: %w", symlinkToCheck, owner, group, err)