summaryrefslogtreecommitdiff
path: root/pkg/rootless
diff options
context:
space:
mode:
authorDaniel J Walsh <dwalsh@redhat.com>2022-04-08 10:51:39 -0400
committerDaniel J Walsh <dwalsh@redhat.com>2022-04-08 10:52:08 -0400
commit2508913a0f5d531d9c965f695b8b19dfb23882c7 (patch)
tree1fc7102ceaff574a08c028997149e15e261ec5f8 /pkg/rootless
parentcdbc33112ef6407db1292f0a40778e6ac1d8996e (diff)
downloadpodman-2508913a0f5d531d9c965f695b8b19dfb23882c7.tar.gz
podman-2508913a0f5d531d9c965f695b8b19dfb23882c7.tar.bz2
podman-2508913a0f5d531d9c965f695b8b19dfb23882c7.zip
If newuidmap or newgidmap fail, then check their permissions
Often distributions to not have newuidmap and netgidmap configured to be setuid. If Podman fails to setup the user namespace, check to see if these files doe not have the proper protection and tell the user. [NO NEW TESTS NEEDED] Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Diffstat (limited to 'pkg/rootless')
-rw-r--r--pkg/rootless/rootless_linux.go15
1 files changed, 14 insertions, 1 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index cff6de5a3..e4d89294e 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -25,6 +25,7 @@ import (
"github.com/containers/storage/pkg/unshare"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
+ "github.com/syndtr/gocapability/capability"
"golang.org/x/sys/unix"
)
@@ -114,8 +115,14 @@ func GetRootlessGID() int {
func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) error {
var tool = "newuidmap"
+ mode := os.ModeSetuid
+ cap := capability.CAP_SETUID
+ idtype := "setuid"
if !uid {
tool = "newgidmap"
+ mode = os.ModeSetgid
+ cap = capability.CAP_SETGID
+ idtype = "setgid"
}
path, err := exec.LookPath(tool)
if err != nil {
@@ -147,7 +154,13 @@ func tryMappingTool(uid bool, pid int, hostID int, mappings []idtools.IDMap) err
if output, err := cmd.CombinedOutput(); err != nil {
logrus.Errorf("running `%s`: %s", strings.Join(args, " "), output)
- return errors.Wrapf(err, "cannot setup namespace using %q", path)
+ errorStr := fmt.Sprintf("cannot setup namespace using %q", path)
+ if isSet, err := unshare.IsSetID(cmd.Path, mode, cap); err != nil {
+ logrus.Errorf("Failed to check for %s on %s: %v", idtype, path, err)
+ } else if !isSet {
+ errorStr = fmt.Sprintf("%s: should have %s or have filecaps %s", errorStr, idtype, idtype)
+ }
+ return errors.Wrapf(err, errorStr)
}
return nil
}