chrootuser: default to GID 0 when given a numeric --user

When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.

Make sure that GetAdditionalGroupsForUser() returns wrapped errors.

Also test various user:group forms.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>

Closes: #728
Approved by: mheon

1 files changed, 9 insertions, 7 deletions

diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 5168e987b..b1420aa55 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1119,13 +1119,15 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		}
 	}
 
-	// Look up and add groups the user belongs to
-	groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
-	if err != nil && err != chrootuser.ErrNoSuchUser {
-		return nil, err
-	}
-	for _, gid := range groups {
-		g.AddProcessAdditionalGid(gid)
+	// Look up and add groups the user belongs to, if a group wasn't directly specified
+	if !strings.Contains(c.config.User, ":") {
+		groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
+		if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser {
+			return nil, err
+		}
+		for _, gid := range groups {
+			g.AddProcessAdditionalGid(gid)
+		}
 	}
 
 	// Add shared namespaces from other containers