diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-03-07 08:14:22 +0100 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-03-07 15:34:30 +0100 |
commit | 4a02713c57d874c404539047ccc5c5ff5c1958fc (patch) | |
tree | 17dc51a6f535188fffd123d604313fd83a305640 | |
parent | bf21ec8520bb429e9b1514422d9bc0b3426f4391 (diff) | |
download | podman-4a02713c57d874c404539047ccc5c5ff5c1958fc.tar.gz podman-4a02713c57d874c404539047ccc5c5ff5c1958fc.tar.bz2 podman-4a02713c57d874c404539047ccc5c5ff5c1958fc.zip |
rootless: exec join the user+mount namespace
it is not enough to join the user namespace where the container is
running. We also need to join the mount namespace so that we can
correctly look-up inside of the container rootfs. This is necessary
to lookup the mounted /etc/passwd file when --user is specified.
Closes: https://github.com/containers/libpod/issues/2566
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
-rw-r--r-- | cmd/podman/exec.go | 29 |
1 files changed, 19 insertions, 10 deletions
diff --git a/cmd/podman/exec.go b/cmd/podman/exec.go index 32a6e4bb5..9ca613ec2 100644 --- a/cmd/podman/exec.go +++ b/cmd/podman/exec.go @@ -108,16 +108,25 @@ func execCmd(c *cliconfig.ExecValues) error { } - pid, err := ctr.PID() - if err != nil { - return err - } - became, ret, err := rootless.JoinNS(uint(pid), c.PreserveFDs) - if err != nil { - return err - } - if became { - os.Exit(ret) + if os.Geteuid() != 0 { + var became bool + var ret int + + data, err := ioutil.ReadFile(ctr.Config().ConmonPidFile) + if err != nil { + return errors.Wrapf(err, "cannot read conmon PID file %q", ctr.Config().ConmonPidFile) + } + conmonPid, err := strconv.Atoi(string(data)) + if err != nil { + return errors.Wrapf(err, "cannot parse PID %q", data) + } + became, ret, err = rootless.JoinDirectUserAndMountNS(uint(conmonPid)) + if err != nil { + return err + } + if became { + os.Exit(ret) + } } // ENVIRONMENT VARIABLES |