diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-04-16 16:38:38 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-16 16:38:38 -0400 |
commit | b9730d2e9b8cb7d7798929690fa020f180f2e1b2 (patch) | |
tree | cbc1bebde8b80c8da472865fbe4a85a0146e59bf /libpod/container_validate.go | |
parent | bd94d84fadda7000da78e36d9865949dc8e7adb4 (diff) | |
parent | 9148568b2610c6d1fa03d90acf1f77f7bcea6ba4 (diff) | |
download | podman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.tar.gz podman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.tar.bz2 podman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.zip |
Merge pull request #10062 from mheon/bump_311
Bump to v3.1.1
Diffstat (limited to 'libpod/container_validate.go')
-rw-r--r-- | libpod/container_validate.go | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/libpod/container_validate.go b/libpod/container_validate.go index 245121a91..aae96ae85 100644 --- a/libpod/container_validate.go +++ b/libpod/container_validate.go @@ -126,5 +126,11 @@ func (c *Container) validate() error { } } + // If User in the OCI spec is set, require that c.config.User is set for + // security reasons (a lot of our code relies on c.config.User). + if c.config.User == "" && (c.config.Spec.Process.User.UID != 0 || c.config.Spec.Process.User.GID != 0) { + return errors.Wrapf(define.ErrInvalidArg, "please set User explicitly via WithUser() instead of in OCI spec directly") + } + return nil } |