diff options
| author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-21 15:45:55 +0200 |
|---|---|---|
| committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-21 22:11:09 +0200 |
| commit | fb353f6f421656cafba05a885c921ca73daa5d70 (patch) | |
| tree | 0b90096dfa60a577ef542e05aa86d09478143c49 | |
| parent | 0d95e3aa06baf0613addc69b3d01bb7c262abd34 (diff) | |
| download | podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.gz podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.bz2 podman-fb353f6f421656cafba05a885c921ca73daa5d70.zip | |
execuser: look at the source for /etc/{passwd,group} overrides
look if there are bind mounts that can shadow the /etc/passwd and
/etc/group files. In that case, look at the bind mount source.
Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| -rw-r--r-- | libpod/container_internal_linux.go | 27 | ||||
| -rw-r--r-- | pkg/lookup/lookup.go | 30 | ||||
| -rw-r--r-- | test/e2e/run_test.go | 6 |
3 files changed, 49 insertions, 14 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 355b9bea4..230b5b888 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -181,6 +181,30 @@ func (c *Container) cleanupNetwork() error { return nil } +func (c *Container) getUserOverrides() *lookup.Overrides { + var hasPasswdFile, hasGroupFile bool + overrides := lookup.Overrides{} + for _, m := range c.config.Spec.Mounts { + if m.Destination == "/etc/passwd" { + overrides.ContainerEtcPasswdPath = m.Source + hasPasswdFile = true + } + if m.Destination == "/etc/group" { + overrides.ContainerEtcGroupPath = m.Source + hasGroupFile = true + } + if m.Destination == "/etc" { + if !hasPasswdFile { + overrides.ContainerEtcPasswdPath = filepath.Join(m.Source, "passwd") + } + if !hasGroupFile { + overrides.ContainerEtcGroupPath = filepath.Join(m.Source, "group") + } + } + } + return &overrides +} + // Generate spec for a container // Accepts a map of the container's dependencies func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { @@ -188,7 +212,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { span.SetTag("type", "container") defer span.Finish() - execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil) + overrides := c.getUserOverrides() + execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides) if err != nil { return nil, err } diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go index 70b97144f..a249dd753 100644 --- a/pkg/lookup/lookup.go +++ b/pkg/lookup/lookup.go @@ -29,17 +29,30 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) defaultExecUser *user.ExecUser err error ) - passwdPath := etcpasswd - groupPath := etcgroup if override != nil { // Check for an override /etc/passwd path if override.ContainerEtcPasswdPath != "" { - passwdPath = override.ContainerEtcPasswdPath + passwdDest = override.ContainerEtcPasswdPath } // Check for an override for /etc/group path if override.ContainerEtcGroupPath != "" { - groupPath = override.ContainerEtcGroupPath + groupDest = override.ContainerEtcGroupPath + } + } + + if passwdDest == "" { + // Make sure the /etc/passwd destination is not a symlink to something naughty + if passwdDest, err = securejoin.SecureJoin(containerMount, etcpasswd); err != nil { + logrus.Debug(err) + return nil, err + } + } + if groupDest == "" { + // Make sure the /etc/group destination is not a symlink to something naughty + if groupDest, err = securejoin.SecureJoin(containerMount, etcgroup); err != nil { + logrus.Debug(err) + return nil, err } } @@ -56,15 +69,6 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) } - // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty - if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil { - logrus.Debug(err) - return nil, err - } - if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil { - logrus.Debug(err) - return nil, err - } return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest) } diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go index 55920467c..1e6f1d97d 100644 --- a/test/e2e/run_test.go +++ b/test/e2e/run_test.go @@ -200,6 +200,12 @@ var _ = Describe("Podman run", func() { match, _ := session.GrepString("/root") Expect(match).Should(BeTrue()) + session = podmanTest.Podman([]string{"run", "--rm", "--user", "2", ALPINE, "printenv", "HOME"}) + session.WaitWithDefaultTimeout() + Expect(session.ExitCode()).To(Equal(0)) + match, _ = session.GrepString("/sbin") + Expect(match).Should(BeTrue()) + session = podmanTest.Podman([]string{"run", "--rm", "--env", "HOME=/foo", ALPINE, "printenv", "HOME"}) session.WaitWithDefaultTimeout() Expect(session.ExitCode()).To(Equal(0)) |