"oc --config=…" fails when HOME points to inaccessible directory

[hansmi]

The oc binary still attempts to read a default configuration from $HOME/.kube/config even when --config=… is set. This is problematic when HOME points to an inaccessible directory. While this should not be the case, it may still happen, for example, when running commands via sudo where environment variables may not be reset.

Version

# oc version
oc v1.2.0
kubernetes v1.2.0-36-g4a3f9c5

Steps To Reproduce

1. Write configuration to ~nagios/config.txt (left as an exercise to the reader)
2. sudo -u nagios oc --config ~nagios/config.txt whoami

Current Result

# sudo -u nagios oc --config ~nagios/config.txt whoami
error: stat /root/.kube/config: permission denied

The reason is that HOME is not set correctly for the nagios user:

# sudo -u nagios env | grep ^HOME=
HOME=/root

Expected Result

The HOME environment variable should have no effect if --config is in use.

# sudo -u nagios oc --config ~nagios/config.txt whoami
system:serviceaccount:[…]

[deads2k]

I can't reproduce:

sudo -u root `which oc` --config ~missing/config whoami
error: stat ~missing/config: no such file or directory

and

unset HOME
oc --config ~missingfile whoami
error: stat ~missingfile: no such file or directory

and

unset HOME
oc --config /home/deads/.kube/config whoami
deads

Do you get the same results when you switch to the user and run the command separate instead of as a sudo?

[hansmi]

Do you get the same results when you switch to the user and run the command separate instead of as a sudo?

Yes, when the HOME environment variable points to a non-readable directory. The issue is not the file pointed to by --config, but rather any directory specified in HOME. If the variable is set, the directory exists and is inaccessible for the user running oc, the issue occurs. An unset HOME variable is not good either (see below).

Long story short, the code should not use the default configuration file if a specific file is set using --config, or at least ignore EACCES/ENOENT (and possibly others) for the default configuration file in such a situation.

Note that I'm using sudo without -H, i.e. without resetting HOME:

# id
uid=0(root) gid=0(root) groups=0(root)
# echo ~nagios
/var/lib/nagios
# sudo -u nagios bash -c 'id; echo $HOME'
uid=108(nagios) gid=115(nagios) groups=115(nagios)
/root
# sudo -u nagios oc --config ~nagios/config.txt whoami
error: stat /root/.kube/config: permission denied

The issue does not occur when HOME is set to the real home directory (note use of -H to set HOME):

# ( sudo -H -u nagios bash -c 'id; set | grep ^HOME; oc --config ~nagios/config.txt whoami'; )
uid=108(nagios) gid=115(nagios) groups=115(nagios)
HOME=/var/lib/nagios
system:serviceaccount:

Or another readable directory:

# ( HOME=/tmp sudo -u nagios bash -c 'id; set | grep ^HOME; oc --config ~nagios/config.txt whoami'; )
uid=108(nagios) gid=115(nagios) groups=115(nagios)
HOME=/tmp
system:serviceaccount:[…]

Or a non-existent directory:

# ( HOME=/does/not/exist sudo -u nagios bash -c 'id; set | grep ^HOME; ls $HOME; oc --config ~nagios/config.txt whoami'; )
uid=108(nagios) gid=115(nagios) groups=115(nagios)
HOME=/does/not/exist
ls: cannot access /does/not/exist: No such file or directory
system:serviceaccount:[…]

An unset HOME variable isn't good (note use of -E to not touch the environment):

# ( unset HOME; sudo -E -u nagios bash -c 'set | grep ^HOME; oc --config ~nagios/config.txt whoami'; )
error: stat .kube/config: permission denied

A file isn't good either (not really useful; just for demonstration):

# ( HOME=/dev/null sudo -u nagios bash -c 'id; set | grep ^HOME; ls $HOME; oc --config ~nagios/config.txt whoami'; )
uid=108(nagios) gid=115(nagios) groups=115(nagios)
HOME=/dev/null
/dev/null
error: stat /dev/null/.kube/config: not a directory

[deads2k]

Looks like HEAD is happy (my user is deads):

unset HOME; sudo -E -u david bash -c 'set | grep ^HOME; /tmp/oc --config ~nagios/config.txt whoami';
error: stat ~nagios/config.txt: no such file or directory

@fabianofranz Not sure if you want to dig back in time.

[hansmi]

@deads2k, you ran it with an unset HOME. The problem occurs when HOME is set to a non-readable directory. Can you try this command, please?

HOME=/root sudo -E -u david bash -c 'set | grep ^HOME; /tmp/oc --config /dev/null whoami'

Assuming your user can't access /root you should see an output as follows:

HOME=/root
error: stat /root/.kube/config: permission denied