Merge pull request #4074 from giuseppe/override-etc-passwd-group

execuser: look at the source for /etc/{passwd,group} overrides

1 files changed, 17 insertions, 13 deletions

diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go
index 70b97144f..a249dd753 100644
--- a/pkg/lookup/lookup.go
+++ b/pkg/lookup/lookup.go
@@ -29,17 +29,30 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides)
 		defaultExecUser       *user.ExecUser
 		err                   error
 	)
-	passwdPath := etcpasswd
-	groupPath := etcgroup
 
 	if override != nil {
 		// Check for an override /etc/passwd path
 		if override.ContainerEtcPasswdPath != "" {
-			passwdPath = override.ContainerEtcPasswdPath
+			passwdDest = override.ContainerEtcPasswdPath
 		}
 		// Check for an override for /etc/group path
 		if override.ContainerEtcGroupPath != "" {
-			groupPath = override.ContainerEtcGroupPath
+			groupDest = override.ContainerEtcGroupPath
+		}
+	}
+
+	if passwdDest == "" {
+		// Make sure the /etc/passwd destination is not a symlink to something naughty
+		if passwdDest, err = securejoin.SecureJoin(containerMount, etcpasswd); err != nil {
+			logrus.Debug(err)
+			return nil, err
+		}
+	}
+	if groupDest == "" {
+		// Make sure the /etc/group destination is not a symlink to something naughty
+		if groupDest, err = securejoin.SecureJoin(containerMount, etcgroup); err != nil {
+			logrus.Debug(err)
+			return nil, err
 		}
 	}
 
@@ -56,15 +69,6 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides)
 
 	}
 
-	// Make sure the /etc/group  and /etc/passwd destinations are not a symlink to something naughty
-	if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil {
-		logrus.Debug(err)
-		return nil, err
-	}
-	if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
-		logrus.Debug(err)
-		return nil, err
-	}
 	return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest)
 }