summaryrefslogtreecommitdiff
path: root/libpod/container_internal_linux.go
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-09-21 15:45:55 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-09-21 22:11:09 +0200
commitfb353f6f421656cafba05a885c921ca73daa5d70 (patch)
tree0b90096dfa60a577ef542e05aa86d09478143c49 /libpod/container_internal_linux.go
parent0d95e3aa06baf0613addc69b3d01bb7c262abd34 (diff)
downloadpodman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.gz
podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.bz2
podman-fb353f6f421656cafba05a885c921ca73daa5d70.zip
execuser: look at the source for /etc/{passwd,group} overrides
look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'libpod/container_internal_linux.go')
-rw-r--r--libpod/container_internal_linux.go27
1 files changed, 26 insertions, 1 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 355b9bea4..230b5b888 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -181,6 +181,30 @@ func (c *Container) cleanupNetwork() error {
return nil
}
+func (c *Container) getUserOverrides() *lookup.Overrides {
+ var hasPasswdFile, hasGroupFile bool
+ overrides := lookup.Overrides{}
+ for _, m := range c.config.Spec.Mounts {
+ if m.Destination == "/etc/passwd" {
+ overrides.ContainerEtcPasswdPath = m.Source
+ hasPasswdFile = true
+ }
+ if m.Destination == "/etc/group" {
+ overrides.ContainerEtcGroupPath = m.Source
+ hasGroupFile = true
+ }
+ if m.Destination == "/etc" {
+ if !hasPasswdFile {
+ overrides.ContainerEtcPasswdPath = filepath.Join(m.Source, "passwd")
+ }
+ if !hasGroupFile {
+ overrides.ContainerEtcGroupPath = filepath.Join(m.Source, "group")
+ }
+ }
+ }
+ return &overrides
+}
+
// Generate spec for a container
// Accepts a map of the container's dependencies
func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
@@ -188,7 +212,8 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
span.SetTag("type", "container")
defer span.Finish()
- execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, nil)
+ overrides := c.getUserOverrides()
+ execUser, err := lookup.GetUserGroupInfo(c.state.Mountpoint, c.config.User, overrides)
if err != nil {
return nil, err
}