From 76c18c8970c231f8b86b58062ee9d652934e484c Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue, 9 Sep 2025 12:58:48 -0400
Subject: [PATCH] chroot: use $PATH when finding commands

Use the $PATH from the runtime config, if it includes one, so that when
the command to run isn't an absolute path and the command isn't being
processed by the shell, exec.Command()'s internal call to
exec.LookPath() will find it.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
---
 chroot/run_common.go | 10 ++++++++++
 tests/bud.bats       | 17 +++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/chroot/run_common.go b/chroot/run_common.go
index 0e50cf0e8..fbd0689f6 100644
--- a/chroot/run_common.go
+++ b/chroot/run_common.go
@@ -12,6 +12,7 @@ import (
 	"os/signal"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@@ -743,6 +744,15 @@ func runUsingChrootExecMain() {
 		os.Exit(1)
 	}
 
+	// Set $PATH to the value for the container, so that when args[0] is not an absolute path,
+	// exec.Command() can find it using exec.LookPath().
+	for _, env := range slices.Backward(options.Spec.Process.Env) {
+		if val, ok := strings.CutPrefix(env, "PATH="); ok {
+			os.Setenv("PATH", val)
+			break
+		}
+	}
+
 	// Actually run the specified command.
 	cmd := exec.Command(args[0], args[1:]...)
 	setPdeathsig(cmd)
diff --git a/tests/bud.bats b/tests/bud.bats
index 2fe7bf9e0..cab4eb898 100644
--- a/tests/bud.bats
+++ b/tests/bud.bats
@@ -8888,3 +8888,20 @@ _EOF
   run_buildah --root=${TEST_SCRATCH_DIR}/newroot --storage-opt=imagestore=${TEST_SCRATCH_DIR}/root build --pull=never ${contextdir}
   run_buildah --root=${TEST_SCRATCH_DIR}/newroot --storage-opt=imagestore=${TEST_SCRATCH_DIR}/root build --pull=never --squash ${contextdir}
 }
+
+@test "bud with exec-form RUN instruction" {
+  baseimage=busybox
+  _prefetch $baseimage
+  local contextdir=${TEST_SCRATCH_DIR}/context
+  mkdir -p "${contextdir}"
+  cat > "${contextdir}"/Dockerfile <<-EOF
+  FROM scratch AS mkdir
+  RUN --mount=type=bind,from="${baseimage}",destination=/usr ["busybox", "sh", "-x", "-c", "mkdir /brand-new-subdir"]
+  FROM "${baseimage}"
+  RUN --mount=type=bind,from=mkdir,destination=/mounted find /mounted -print
+EOF
+  run_buildah build --layers=true "${contextdir}"
+  expect_output --substring /mounted/brand-new-subdir
+  run_buildah build --layers=false "${contextdir}"
+  expect_output --substring /mounted/brand-new-subdir
+}