diff options
author | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-08 10:51:39 -0400 |
---|---|---|
committer | Daniel J Walsh <dwalsh@redhat.com> | 2022-04-08 10:52:08 -0400 |
commit | 2508913a0f5d531d9c965f695b8b19dfb23882c7 (patch) | |
tree | 1fc7102ceaff574a08c028997149e15e261ec5f8 /pkg/rootless | |
parent | cdbc33112ef6407db1292f0a40778e6ac1d8996e (diff) | |
download | podman-2508913a0f5d531d9c965f695b8b19dfb23882c7.tar.gz podman-2508913a0f5d531d9c965f695b8b19dfb23882c7.tar.bz2 podman-2508913a0f5d531d9c965f695b8b19dfb23882c7.zip |
If newuidmap or newgidmap fail, then check their permissions
Often distributions to not have newuidmap and netgidmap configured
to be setuid. If Podman fails to setup the user namespace, check to
see if these files doe not have the proper protection and tell the user.
[NO NEW TESTS NEEDED]
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/rootless')
-rw-r--r-- | pkg/rootless/rootless_linux.go | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index cff6de5a3..e4d89294e 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -25,6 +25,7 @@ import ( "github.com/containers/storage/pkg/unshare" "github.com/pkg/errors" "github.com/sirupsen/logrus" + "github.com/syndtr/gocapability/capability" "golang.org/x/sys/unix" ) @@ -114,8 +115,14 @@ func GetRootlessGID() int { func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error { var tool = "newuidmap" + mode := os.ModeSetuid + cap := capability.CAP_SETUID + idtype := "setuid" if !uid { tool = "newgidmap" + mode = os.ModeSetgid + cap = capability.CAP_SETGID + idtype = "setgid" } path, err := exec.LookPath(tool) if err != nil { @@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err if output, err := cmd.CombinedOutput(); err != nil { logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output) - return errors.Wrapf(err, "cannot setup namespace using %q", path) + errorStr := fmt.Sprintf("cannot setup namespace using %q", path) + if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil { + logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err) + } else if !isSet { + errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype) + } + return errors.Wrapf(err, errorStr) } return nil } |