Podman run --passwd

added support for a new flag --passwd which, when false prohibits podman from creating entries in
/etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint

resolves #11805

Signed-off-by: cdoern <cdoern@redhat.com>

1 files changed, 4 insertions, 0 deletions

diff --git a/cmd/podman/containers/run.go b/cmd/podman/containers/run.go
index cfb89ce57..b9a2c3bb5 100644
--- a/cmd/podman/containers/run.go
+++ b/cmd/podman/containers/run.go
@@ -83,6 +83,9 @@ func runFlags(cmd *cobra.Command) {
 	_ = cmd.RegisterFlagCompletionFunc(gpuFlagName, completion.AutocompleteNone)
 	_ = flags.MarkHidden("gpus")
 
+	passwdFlagName := "passwd"
+	flags.BoolVar(&runOpts.Passwd, passwdFlagName, true, "add entries to /etc/passwd and /etc/group")
+
 	if registry.IsRemote() {
 		_ = flags.MarkHidden("preserve-fds")
 		_ = flags.MarkHidden("conmon-pidfile")
@@ -191,6 +194,7 @@ func run(cmd *cobra.Command, args []string) error {
 		return err
 	}
 	s.RawImageName = rawImageName
+	s.Passwd = &runOpts.Passwd
 	runOpts.Spec = s
 
 	if _, err := createPodIfNecessary(cmd, s, cliVals.Net); err != nil {