diff options
author | Nalin Dahyabhai <nalin@redhat.com> | 2018-05-04 11:26:56 -0400 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-05-17 17:05:44 +0000 |
commit | e686269da34ed4208f4ed517c0587ab38e8eaf2c (patch) | |
tree | 1ddf505de4e1713ed48efe1bff05fcda3234faff /libpod | |
parent | 796d6c894a0c99fcfd47f036a278a1a11c446332 (diff) | |
download | podman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.tar.gz podman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.tar.bz2 podman-e686269da34ed4208f4ed517c0587ab38e8eaf2c.zip |
chrootuser: default to GID 0 when given a numeric --user
When we're given a numeric --user value, default to GID 0 if the numeric
ID doesn't correspond to a user entry in /etc/passwd that can provide us
with the user's primary group ID.
Make sure that GetAdditionalGroupsForUser() returns wrapped errors.
Also test various user:group forms.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
Closes: #728
Approved by: mheon
Diffstat (limited to 'libpod')
-rw-r--r-- | libpod/container_internal.go | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/libpod/container_internal.go b/libpod/container_internal.go index 5168e987b..b1420aa55 100644 --- a/libpod/container_internal.go +++ b/libpod/container_internal.go @@ -1119,13 +1119,15 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) { } } - // Look up and add groups the user belongs to - groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID)) - if err != nil && err != chrootuser.ErrNoSuchUser { - return nil, err - } - for _, gid := range groups { - g.AddProcessAdditionalGid(gid) + // Look up and add groups the user belongs to, if a group wasn't directly specified + if !strings.Contains(c.config.User, ":") { + groups, err := chrootuser.GetAdditionalGroupsForUser(c.state.Mountpoint, uint64(g.Spec().Process.User.UID)) + if err != nil && errors.Cause(err) != chrootuser.ErrNoSuchUser { + return nil, err + } + for _, gid := range groups { + g.AddProcessAdditionalGid(gid) + } } // Add shared namespaces from other containers |