rootless: exec join the user+mount namespace

it is not enough to join the user namespace where the container is running. We also need to join the mount namespace so that we can correctly look-up inside of the container rootfs. This is necessary to lookup the mounted /etc/passwd file when --user is specified. Closes: https://github.com/containers/libpod/issues/2566 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-22 09:58:10 +08:00 · 2019-03-07 08:14:22 +01:00
parent bf21ec8520
commit 4a02713c57
1 changed files with 19 additions and 10 deletions
--- a/cmd/podman/exec.go
+++ b/cmd/podman/exec.go
@ -108,16 +108,25 @@ func execCmd(c *cliconfig.ExecValues) error {

 	}

-	pid, err := ctr.PID()
-	if err != nil {
-		return err
-	}
-	became, ret, err := rootless.JoinNS(uint(pid), c.PreserveFDs)
-	if err != nil {
-		return err
-	}
-	if became {
-		os.Exit(ret)
+	if os.Geteuid() != 0 {
+		var became bool
+		var ret int
+
+		data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile)
+		if err != nil {
+			return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile)
+		}
+		conmonPid, err := strconv.Atoi(string(data))
+		if err != nil {
+			return errors.Wrapf(err, "cannot parse PID %q", data)
+		}
+		became, ret, err = rootless.JoinDirectUserAndMountNS(uint(conmonPid))
+		if err != nil {
+			return err
+		}
+		if became {
+			os.Exit(ret)
+		}
 	}

 	// ENVIRONMENT VARIABLES