aboutsummaryrefslogtreecommitdiff
path: root/libpod/container_validate.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2021-04-16 16:38:38 -0400
committerGitHub <noreply@github.com>2021-04-16 16:38:38 -0400
commitb9730d2e9b8cb7d7798929690fa020f180f2e1b2 (patch)
treecbc1bebde8b80c8da472865fbe4a85a0146e59bf /libpod/container_validate.go
parentbd94d84fadda7000da78e36d9865949dc8e7adb4 (diff)
parent9148568b2610c6d1fa03d90acf1f77f7bcea6ba4 (diff)
downloadpodman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.tar.gz
podman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.tar.bz2
podman-b9730d2e9b8cb7d7798929690fa020f180f2e1b2.zip
Merge pull request #10062 from mheon/bump_311
Bump to v3.1.1
Diffstat (limited to 'libpod/container_validate.go')
-rw-r--r--libpod/container_validate.go6
1 files changed, 6 insertions, 0 deletions
diff --git a/libpod/container_validate.go b/libpod/container_validate.go
index 245121a91..aae96ae85 100644
--- a/libpod/container_validate.go
+++ b/libpod/container_validate.go
@@ -126,5 +126,11 @@ func (c *Container) validate() error {
}
}
+ // If User in the OCI spec is set, require that c.config.User is set for
+ // security reasons (a lot of our code relies on c.config.User).
+ if c.config.User == "" && (c.config.Spec.Process.User.UID != 0 || c.config.Spec.Process.User.GID != 0) {
+ return errors.Wrapf(define.ErrInvalidArg, "please set User explicitly via WithUser() instead of in OCI spec directly")
+ }
+
return nil
}