Summary
The Boost docker shim in /tmp/boost/tools mis-executes docker login … as the shadow-utils /usr/bin/login binary, breaking all container logins on hosts where /tmp/boost/tools is on PATH ahead of /usr/bin. This took down Docker setup in CI (GitHub Actions self-hosted runners) for jfrog/fly-service and jfrog/fly-desktop.
Observed error:
login: Cannot possibly work without effective root
Environment
- Boost binary:
/tmp/boost/tools/boost-arm64, statically-linked ELF aarch64, BuildID 397bf566827c6454219a2eba05fcdec8c27c2b2c, rebuilt 2026-06-18 11:26
- Host: self-hosted GitHub Actions runners (
Fly-Runner-US-ARM), Ubuntu, ARM64
- Real docker:
/usr/bin/docker (Docker 29.1.5) — works fine
- Boost shims present in
/tmp/boost/tools (all symlinks → boost-arm64): docker (created May 17), sh, bash, dash (created/rebuilt Jun 18 11:26)
Reproduction (minimal)
Same command, same env, same host — only the docker binary differs:
echo "$TOKEN" | /tmp/boost/tools/docker login flyjfrog.jfrog.io --username="$USER" --password-stdin
# -> login: Cannot possibly work without effective root (exit 1)
echo "$TOKEN" | /usr/bin/docker login flyjfrog.jfrog.io --username="$USER" --password-stdin
# -> Login Succeeded (exit 0)
Root cause
/tmp/boost/tools is prepended to PATH ahead of /usr/bin:
PATH=/home/ubuntu/actions-runner/_work/_tool/fly/1.4.15/arm64:/tmp/boost/tools:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:...
So docker resolves to the Boost shim. When a tool runs sh -c "echo $PASS | docker login <registry> --username=\"<user>\" --password-stdin", Boost's docker shim drops the login subcommand and execs the second token (login) as a standalone program — which resolves to /usr/bin/login (shadow-utils), printing Cannot possibly work without effective root (euid != 0).
Process chain proven via /proc/<pid>/exe (all the intermediate sh/docker/bash resolve to boost-arm64):
fly setup
└─ sh -c "echo $CONTAINER_MANAGER_PASS | docker login … --password-stdin" exe=/tmp/boost/tools/boost-arm64
└─ docker login … --password-stdin exe=/tmp/boost/tools/boost-arm64
└─ login <registry> --username=… --password-stdin -> /usr/bin/login ✗
The docker symlink alone existed since May 17 without breaking anything; the regression began with the Jun 18 11:26 boost-arm64 rebuild (and the new sh/bash/dash shims), which aligns exactly with the CI onset date.
Impact
- All
docker login / helm registry login style flows that go through a Boost-shimmed docker fail on affected hosts.
- Surfaced as
docker ✗ / failed to login to container registry in jfrog/fly-service and jfrog/fly-desktop CI on self-hosted ARM runners since 2026-06-18. GitHub-hosted runners are unaffected (no /tmp/boost).
Evidence (CI runs)
Expected behavior
The Boost docker shim must forward the full argument vector to the real docker binary unchanged (docker login <args> → real docker login <args>), never collapse login into a standalone command.
Suggested fixes
- Fix the Boost shim argument parsing so subcommands (
login, build, etc.) are preserved when delegating to the real binary.
- Avoid shadowing security-sensitive binaries (
login, newgrp, sg) and core tools in a PATH dir that can leak into unrelated process trees (e.g. CI runner services).
- Ensure Boost's shim dir does not contaminate the GitHub Actions runner-service
PATH.
Summary
The Boost
dockershim in/tmp/boost/toolsmis-executesdocker login …as the shadow-utils/usr/bin/loginbinary, breaking all container logins on hosts where/tmp/boost/toolsis onPATHahead of/usr/bin. This took down Docker setup in CI (GitHub Actions self-hosted runners) forjfrog/fly-serviceandjfrog/fly-desktop.Observed error:
Environment
/tmp/boost/tools/boost-arm64, statically-linked ELF aarch64,BuildID 397bf566827c6454219a2eba05fcdec8c27c2b2c, rebuilt 2026-06-18 11:26Fly-Runner-US-ARM), Ubuntu, ARM64/usr/bin/docker(Docker 29.1.5) — works fine/tmp/boost/tools(all symlinks →boost-arm64):docker(created May 17),sh,bash,dash(created/rebuilt Jun 18 11:26)Reproduction (minimal)
Same command, same env, same host — only the
dockerbinary differs:Root cause
/tmp/boost/toolsis prepended toPATHahead of/usr/bin:So
dockerresolves to the Boost shim. When a tool runssh -c "echo $PASS | docker login <registry> --username=\"<user>\" --password-stdin", Boost'sdockershim drops theloginsubcommand and execs the second token (login) as a standalone program — which resolves to/usr/bin/login(shadow-utils), printingCannot possibly work without effective root(euid != 0).Process chain proven via
/proc/<pid>/exe(all the intermediatesh/docker/bashresolve toboost-arm64):The
dockersymlink alone existed since May 17 without breaking anything; the regression began with the Jun 18 11:26boost-arm64rebuild (and the newsh/bash/dashshims), which aligns exactly with the CI onset date.Impact
docker login/helm registry loginstyle flows that go through a Boost-shimmeddockerfail on affected hosts.docker ✗/failed to login to container registryinjfrog/fly-serviceandjfrog/fly-desktopCI on self-hosted ARM runners since 2026-06-18. GitHub-hosted runners are unaffected (no/tmp/boost).Evidence (CI runs)
/proc/<pid>/exeancestry capture showingdocker→loginviaboost-arm64: https://github.com/jfrog/fly-service/actions/runs/27951007101Expected behavior
The Boost
dockershim must forward the full argument vector to the realdockerbinary unchanged (docker login <args>→ realdocker login <args>), never collapselogininto a standalone command.Suggested fixes
login,build, etc.) are preserved when delegating to the real binary.login,newgrp,sg) and core tools in aPATHdir that can leak into unrelated process trees (e.g. CI runner services).PATH.