summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorNalin Dahyabhai <nalin@redhat.com>2018-05-04 11:26:56 -0400
committerAtomic Bot <atomic-devel@projectatomic.io>2018-05-17 17:05:44 +0000
commite686269da34ed4208f4ed517c0587ab38e8eaf2c (patch)
tree1ddf505de4e1713ed48efe1bff05fcda3234faff /libpod
parent796d6c894a0c99fcfd47f036a278a1a11c446332 (diff)
downloadpodman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.tar.gz
podman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.tar.bz2
podman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.zip
chrootuser: default to GID 0 when given a numeric --user
When we're given a numeric --user value, default to GID 0 if the numeric ID doesn't correspond to a user entry in /etc/passwd that can provide us with the user's primary group ID. Make sure that GetAdditionalGroupsForUser() returns wrapped errors. Also test various user:group forms. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #728 Approved by: mheon
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal.go16
1 files changed, 9 insertions, 7 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go
index 5168e987b..b1420aa55 100644
--- a/libpod/container_internal.go
+++ b/libpod/container_internal.go
@@ -1119,13 +1119,15 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
}
- // Look up and add groups the user belongs to
- groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
- if err != nil && err != chrootuser.ErrNoSuchUser {
- return nil, err
- }
- for _, gid := range groups {
- g.AddProcessAdditionalGid(gid)
+ // Look up and add groups the user belongs to, if a group wasn't directly specified
+ if !strings.Contains(c.config.User, ":") {
+ groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID))
+ if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser {
+ return nil, err
+ }
+ for _, gid := range groups {
+ g.AddProcessAdditionalGid(gid)
+ }
}
// Add shared namespaces from other containers