aboutsummaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2019-09-21 15:45:55 +0200
committerGiuseppe Scrivano <gscrivan@redhat.com>2019-09-21 22:11:09 +0200
commitfb353f6f421656cafba05a885c921ca73daa5d70 (patch)
tree0b90096dfa60a577ef542e05aa86d09478143c49 /pkg
parent0d95e3aa06baf0613addc69b3d01bb7c262abd34 (diff)
downloadpodman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.gz
podman-fb353f6f421656cafba05a885c921ca73daa5d70.tar.bz2
podman-fb353f6f421656cafba05a885c921ca73daa5d70.zip
execuser: look at the source for /etc/{passwd,group} overrides
look if there are bind mounts that can shadow the /etc/passwd and /etc/group files. In that case, look at the bind mount source. Closes: https://github.com/containers/libpod/pull/4068#issuecomment-533782941 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Diffstat (limited to 'pkg')
-rw-r--r--pkg/lookup/lookup.go30
1 files changed, 17 insertions, 13 deletions
diff --git a/pkg/lookup/lookup.go b/pkg/lookup/lookup.go
index 70b97144f..a249dd753 100644
--- a/pkg/lookup/lookup.go
+++ b/pkg/lookup/lookup.go
@@ -29,17 +29,30 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides)
defaultExecUser *user.ExecUser
err error
)
- passwdPath := etcpasswd
- groupPath := etcgroup
if override != nil {
// Check for an override /etc/passwd path
if override.ContainerEtcPasswdPath != "" {
- passwdPath = override.ContainerEtcPasswdPath
+ passwdDest = override.ContainerEtcPasswdPath
}
// Check for an override for /etc/group path
if override.ContainerEtcGroupPath != "" {
- groupPath = override.ContainerEtcGroupPath
+ groupDest = override.ContainerEtcGroupPath
+ }
+ }
+
+ if passwdDest == "" {
+ // Make sure the /etc/passwd destination is not a symlink to something naughty
+ if passwdDest, err = securejoin.SecureJoin(containerMount, etcpasswd); err != nil {
+ logrus.Debug(err)
+ return nil, err
+ }
+ }
+ if groupDest == "" {
+ // Make sure the /etc/group destination is not a symlink to something naughty
+ if groupDest, err = securejoin.SecureJoin(containerMount, etcgroup); err != nil {
+ logrus.Debug(err)
+ return nil, err
}
}
@@ -56,15 +69,6 @@ func GetUserGroupInfo(containerMount, containerUser string, override *Overrides)
}
- // Make sure the /etc/group and /etc/passwd destinations are not a symlink to something naughty
- if passwdDest, err = securejoin.SecureJoin(containerMount, passwdPath); err != nil {
- logrus.Debug(err)
- return nil, err
- }
- if groupDest, err = securejoin.SecureJoin(containerMount, groupPath); err != nil {
- logrus.Debug(err)
- return nil, err
- }
return user.GetExecUserPath(containerUser, defaultExecUser, passwdDest, groupDest)
}