summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorMatthew Heon <mheon@redhat.com>2022-09-02 13:40:29 -0400
committerMatthew Heon <mheon@redhat.com>2022-09-02 15:51:36 -0400
commitd82a41687e614d9ac8b2d169dee47fe226835e4c (patch)
treeb557e257245d28db09c704bf40f4271efa73d165 /libpod
parent0e66f75f2a6d3792ae7fd2d77fe8a55b6fbdb0ce (diff)
downloadpodman-d82a41687e614d9ac8b2d169dee47fe226835e4c.tar.gz
podman-d82a41687e614d9ac8b2d169dee47fe226835e4c.tar.bz2
podman-d82a41687e614d9ac8b2d169dee47fe226835e4c.zip
Add container GID to additional groups
Mitigates a potential permissions issue. Mirrors Buildah PR #4200 and CRI-O PR #6159. Signed-off-by: Matthew Heon <mheon@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal_linux.go1
1 files changed, 1 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 5c5fd471b..bb50ddc43 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -682,6 +682,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
// User and Group must go together
g.SetProcessUID(uint32(execUser.Uid))
g.SetProcessGID(uint32(execUser.Gid))
+ g.AddProcessAdditionalGid(uint32(execUser.Gid))
}
if c.config.Umask != "" {
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-12 06:45:05 +0000