diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2018-08-02 14:27:20 +0200 |
---|---|---|
committer | Atomic Bot <atomic-devel@projectatomic.io> | 2018-08-02 18:49:55 +0000 |
commit | 13b1845214bcc5e37accd6c0cef524abb694c0c5 (patch) | |
tree | 6b5f7b46fbd9c8b18cc02f023d80401059982b7c /pkg/rootless | |
parent | 9f2da6f59fcb8fe07906d20c89696e43774b9eb1 (diff) | |
download | podman-13b1845214bcc5e37accd6c0cef524abb694c0c5.tar.gz podman-13b1845214bcc5e37accd6c0cef524abb694c0c5.tar.bz2 podman-13b1845214bcc5e37accd6c0cef524abb694c0c5.zip |
rootless: do not set setgroups to deny when using newuidmap
It is required only when directly configuring the user namespace.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1200
Approved by: rhatdan
Diffstat (limited to 'pkg/rootless')
-rw-r--r-- | pkg/rootless/rootless_linux.go | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go index 3d6402040..d34782171 100644 --- a/pkg/rootless/rootless_linux.go +++ b/pkg/rootless/rootless_linux.go @@ -95,12 +95,6 @@ func BecomeRootInUserNS() (bool, int, error) { return false, -1, errors.Errorf("cannot re-exec process") } - setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) - err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666) - if err != nil { - return false, -1, errors.Wrapf(err, "cannot write setgroups file") - } - var uids, gids []idtools.IDMap username := os.Getenv("USER") mappings, err := idtools.NewIDMappings(username, username) @@ -117,6 +111,12 @@ func BecomeRootInUserNS() (bool, int, error) { uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil } if !uidsMapped { + setgroups := fmt.Sprintf("/proc/%d/setgroups", pid) + err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666) + if err != nil { + return false, -1, errors.Wrapf(err, "cannot write setgroups file") + } + uidMap := fmt.Sprintf("/proc/%d/uid_map", pid) err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666) if err != nil { |