Merge pull request #7516 from mheon/handle_no_passwd_file

Ensure rootless containers without a passwd can start
2025-06-24 19:42:56 +08:00 · 2020-09-01 06:07:08 -04:00
parent 138132e163 3875040f13
commit 65036cc49d
2 changed files with 24 additions and 0 deletions
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@ -1584,6 +1584,17 @@ func (c *Container) generatePasswd() (string, error) {
 	if _, err := os.Stat(passwdPath); err == nil {
 		return passwdPath, nil
 	}
+	// Check if container has a /etc/passwd - if it doesn't do nothing.
+	passwdPath, err := securejoin.SecureJoin(c.state.Mountpoint, "/etc/passwd")
+	if err != nil {
+		return "", errors.Wrapf(err, "error creating path to container %s /etc/passwd", c.ID())
+	}
+	if _, err := os.Stat(passwdPath); err != nil {
+		if os.IsNotExist(err) {
+			return "", nil
+		}
+		return "", errors.Wrapf(err, "unable to access container %s /etc/passwd", c.ID())
+	}
 	pwd := ""
 	if c.config.User != "" {
 		entry, err := c.generateUserPasswdEntry()
--- a/test/e2e/run_passwd_test.go
+++ b/test/e2e/run_passwd_test.go
@ -58,4 +58,17 @@ var _ = Describe("Podman run passwd", func() {
 		Expect(session.ExitCode()).To(Equal(0))
 		Expect(session.LineInOutputContains("passwd")).To(BeTrue())
 	})
+
+	It("podman can run container without /etc/passwd", func() {
+		SkipIfRemote()
+		dockerfile := `FROM alpine
+RUN rm -f /etc/passwd /etc/shadow /etc/group
+USER 1000`
+		imgName := "testimg"
+		podmanTest.BuildImage(dockerfile, imgName, "false")
+		session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"})
+		session.WaitWithDefaultTimeout()
+		Expect(session.ExitCode()).To(Equal(0))
+		Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
+	})
 })