summaryrefslogtreecommitdiff
path: root/libpod
diff options
context:
space:
mode:
authorQi Wang <qiwan@redhat.com>2020-05-29 17:39:42 -0400
committerQi Wang <qiwan@redhat.com>2020-06-02 11:28:58 -0400
commit77e4b077b9d8989b1300689103a5489bd1ad9a8b (patch)
tree7f40976b06093fa7969a7cdcf19fb4365e45647c /libpod
parentf559cec6c0d1694cca9530004aaba3c138f621e3 (diff)
downloadpodman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.gz
podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.tar.bz2
podman-77e4b077b9d8989b1300689103a5489bd1ad9a8b.zip
check --user range for rootless containers
Check --user range if it's a uid for rootless containers. Returns error if it is out of the range. From https://github.com/containers/libpod/issues/6431#issuecomment-636124686 Signed-off-by: Qi Wang <qiwan@redhat.com>
Diffstat (limited to 'libpod')
-rw-r--r--libpod/container_internal_linux.go5
1 files changed, 5 insertions, 0 deletions
diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index 2bd6099f0..d08e012a6 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -325,6 +325,11 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
}
if c.config.User != "" {
+ if rootless.IsRootless() {
+ if err := util.CheckRootlessUIDRange(execUser.Uid); err != nil {
+ return nil, err
+ }
+ }
// User and Group must go together
g.SetProcessUID(uint32(execUser.Uid))
g.SetProcessGID(uint32(execUser.Gid))