opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-21 00:56:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add container GID to additional groups

Browse Source 
Mitigates a potential permissions issue. Mirrors Buildah PR #4200
and CRI-O PR #6159.

Signed-off-by: Matthew Heon <mheon@redhat.com>

MH: Backported to v4.0-rhel per RHBZ #2121541

Signed-off-by: Matthew Heon <mheon@redhat.com>
This commit is contained in:
Matthew Heon
2022-09-02 13:40:29 -04:00
parent 1cc1f6cc43
commit e7a73108b3
3 changed files with 13 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
libpod/container_internal_linux.go
View File

@ -592,6 +592,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// User and Group must go together // User and Group must go together
g.SetProcessUID(uint32(execUser.Uid)) g.SetProcessUID(uint32(execUser.Uid))
g.SetProcessGID(uint32(execUser.Gid)) g.SetProcessGID(uint32(execUser.Gid))
g.AddProcessAdditionalGid(uint32(execUser.Gid))
} }
if c.config.Umask != "" { if c.config.Umask != "" {

1
pkg/specgen/namespaces.go
View File

@ -512,6 +512,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
idmappings = mappings idmappings = mappings
g.SetProcessUID(uint32(uid)) g.SetProcessUID(uint32(uid))
g.SetProcessGID(uint32(gid)) g.SetProcessGID(uint32(gid))
g.AddProcessAdditionalGid(uint32(gid))
user = fmt.Sprintf("%d:%d", uid, gid) user = fmt.Sprintf("%d:%d", uid, gid)
fallthrough fallthrough
case Private: case Private:

14
test/e2e/run_test.go
View File

@ -892,7 +892,7 @@ USER bin`, BB)
session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"}) session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0)) Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)")) Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
}) })
It("podman run with user (integer, in /etc/passwd)", func() { It("podman run with user (integer, in /etc/passwd)", func() {
@ -913,14 +913,14 @@ USER bin`, BB)
session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"}) session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0)) Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)")) Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
}) })
It("podman run with user:group (integer:groupname)", func() { It("podman run with user:group (integer:groupname)", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"}) session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0)) Expect(session).Should(Exit(0))
Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)")) Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
}) })
It("podman run with user, verify caps dropped", func() { It("podman run with user, verify caps dropped", func() {
@ -931,6 +931,14 @@ USER bin`, BB)
Expect("0000000000000000").To(Equal(capEff[1])) Expect("0000000000000000").To(Equal(capEff[1]))
}) })
It("podman run with user, verify group added", func() {
session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
session.WaitWithDefaultTimeout()
Expect(session).Should(Exit(0))
groups := strings.Split(session.OutputToString(), " ")[1]
Expect("1000").To(Equal(groups))
})
It("podman run with attach stdin outputs container ID", func() { It("podman run with attach stdin outputs container ID", func() {
session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"}) session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
session.WaitWithDefaultTimeout() session.WaitWithDefaultTimeout()