Merge pull request #7694 from mheon/fix_exec_supplemental_groups

Preserve groups in exec sessions in ctrs with --user
2025-06-22 09:58:10 +08:00 · 2020-09-19 06:32:59 -04:00
parent 5b7509c562 2f605dcc1c
commit c2068f11cc
2 changed files with 29 additions and 6 deletions
--- a/libpod/container_exec.go
+++ b/libpod/container_exec.go
@ -980,11 +980,6 @@ func prepareForExec(c *Container, session *ExecSession) (*ExecOptions, error) {
 		capList = capabilities.AllCapabilities()
 	}

-	user := c.config.User
-	if session.Config.User != "" {
-		user = session.Config.User
-	}
-
 	if err := c.createExecBundle(session.ID()); err != nil {
 		return nil, err
 	}
@ -995,7 +990,7 @@ func prepareForExec(c *Container, session *ExecSession) (*ExecOptions, error) {
 	opts.Env = session.Config.Environment
 	opts.Terminal = session.Config.Terminal
 	opts.Cwd = session.Config.WorkDir
-	opts.User = user
+	opts.User = session.Config.User
 	opts.PreserveFDs = session.Config.PreserveFDs
 	opts.DetachKeys = session.Config.DetachKeys
 	opts.ExitCommand = session.Config.ExitCommand
--- a/test/e2e/exec_test.go
+++ b/test/e2e/exec_test.go
@ -283,6 +283,34 @@ var _ = Describe("Podman exec", func() {
 		Expect(strings.Contains(exec.OutputToString(), fmt.Sprintf("%s(%s)", gid, groupName))).To(BeTrue())
 	})

+	It("podman exec preserves container groups with --user and --group-add", func() {
+		SkipIfRemote()
+		dockerfile := `FROM fedora-minimal
+RUN groupadd -g 4000 first
+RUN groupadd -g 4001 second
+RUN useradd -u 1000 auser`
+		imgName := "testimg"
+		podmanTest.BuildImage(dockerfile, imgName, "false")
+
+		ctrName := "testctr"
+		ctr := podmanTest.Podman([]string{"run", "-t", "-i", "-d", "--name", ctrName, "--user", "auser:first", "--group-add", "second", imgName, "sleep", "300"})
+		ctr.WaitWithDefaultTimeout()
+		Expect(ctr.ExitCode()).To(Equal(0))
+
+		exec := podmanTest.Podman([]string{"exec", "-t", ctrName, "id"})
+		exec.WaitWithDefaultTimeout()
+		Expect(exec.ExitCode()).To(Equal(0))
+		output := exec.OutputToString()
+		Expect(strings.Contains(output, "4000(first)")).To(BeTrue())
+		Expect(strings.Contains(output, "4001(second)")).To(BeTrue())
+		Expect(strings.Contains(output, "1000(auser)")).To(BeTrue())
+
+		// Kill the container just so the test does not take 15 seconds to stop.
+		kill := podmanTest.Podman([]string{"kill", ctrName})
+		kill.WaitWithDefaultTimeout()
+		Expect(kill.ExitCode()).To(Equal(0))
+	})
+
 	It("podman exec --detach", func() {
 		ctrName := "testctr"
 		ctr := podmanTest.Podman([]string{"run", "-t", "-i", "-d", "--name", ctrName, ALPINE, "top"})