opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-28 14:29:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

rootless: inhibit copy mapping for euid != 0

Browse Source 
when running with euid != 0, inhibit the copy of the current mappings,
even if the kernel allows that.  This seems to be the expectation when
running in a Kubernetes cluster with a non-root user.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
Giuseppe Scrivano
2022-12-20 13:11:59 +01:00
parent fb967aabc3
commit 90719d38f7
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/rootless/rootless_linux.go
View File

@ -223,6 +223,11 @@ func GetConfiguredMappings(quiet bool) ([]idtools.IDMap, []idtools.IDMap, error)
} }
func copyMappings(from, to string) error { func copyMappings(from, to string) error {
// when running as non-root always go through the newuidmap/newgidmap
// configuration since this is the expectation when running on Kubernetes
if os.Geteuid() != 0 {
return errors.New("copying mappings is allowed only for root")
}
content, err := os.ReadFile(from) content, err := os.ReadFile(from)
if err != nil { if err != nil {
return err return err