rootless: inhibit copy mapping for euid != 0

when running with euid != 0, inhibit the copy of the current mappings, even if the kernel allows that. This seems to be the expectation when running in a Kubernetes cluster with a non-root user. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
2025-06-27 21:50:18 +08:00 · 2022-12-20 13:11:59 +01:00
parent fb967aabc3
commit 90719d38f7
1 changed files with 5 additions and 0 deletions
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@ -223,6 +223,11 @@ func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error)
 }

 func copyMappings(from, to string) error {
+	// when running as non-root always go through the newuidmap/newgidmap
+	// configuration since this is the expectation when running on Kubernetes
+	if os.Geteuid() != 0 {
+		return errors.New("copying mappings is allowed only for root")
+	}
 	content, err := os.ReadFile(from)
 	if err != nil {
 		return err