diff options
author | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-21 15:45:55 +0200 |
---|---|---|
committer | Giuseppe Scrivano <gscrivan@redhat.com> | 2019-09-21 22:11:09 +0200 |
commit | fb353f6f421656cafba05a885c921ca73daa5d70 (patch) | |
tree | 0b90096dfa60a577ef542e05aa86d09478143c49 /pkg | |
parent | 0d95e3aa06baf0613addc69b3d01bb7c262abd34 (diff) | |
download | podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.gz podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.bz2 podman-fb353f6f421656cafba05a885c921ca73daa5d70.zip |
execuser: look at the source for /etc/{passwd,group} overrides
look if there are bind mounts that can shadow the /etc/passwd and
/etc/group files. In that case, look at the bind mount source.
Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r-- | pkg/lookup/lookup.go | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go index 70b97144f..a249dd753 100644 --- a/pkg/lookup/lookup.go +++ b/pkg/lookup/lookup.go @@ -29,17 +29,30 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) defaultExecUser *user.ExecUser err error ) - passwdPath := etcpasswd - groupPath := etcgroup if override != nil { // Check for an override /etc/passwd path if override.ContainerEtcPasswdPath != "" { - passwdPath = override.ContainerEtcPasswdPath + passwdDest = override.ContainerEtcPasswdPath } // Check for an override for /etc/group path if override.ContainerEtcGroupPath != "" { - groupPath = override.ContainerEtcGroupPath + groupDest = override.ContainerEtcGroupPath + } + } + + if passwdDest == "" { + // Make sure the /etc/passwd destination is not a symlink to something naughty + if passwdDest, err = securejoin.SecureJoin(containerMount, etcpasswd); err != nil { + logrus.Debug(err) + return nil, err + } + } + if groupDest == "" { + // Make sure the /etc/group destination is not a symlink to something naughty + if groupDest, err = securejoin.SecureJoin(containerMount, etcgroup); err != nil { + logrus.Debug(err) + return nil, err } } @@ -56,15 +69,6 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides) } - // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty - if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil { - logrus.Debug(err) - return nil, err - } - if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil { - logrus.Debug(err) - return nil, err - } return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest) } |