summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
authorGiuseppe Scrivano <gscrivan@redhat.com>2018-08-02 14:27:20 +0200
committerAtomic Bot <atomic-devel@projectatomic.io>2018-08-02 18:49:55 +0000
commit13b1845214bcc5e37accd6c0cef524abb694c0c5 (patch)
tree6b5f7b46fbd9c8b18cc02f023d80401059982b7c /pkg
parent9f2da6f59fcb8fe07906d20c89696e43774b9eb1 (diff)
downloadpodman-13b1845214bcc5e37accd6c0cef524abb694c0c5.tar.gz
podman-13b1845214bcc5e37accd6c0cef524abb694c0c5.tar.bz2
podman-13b1845214bcc5e37accd6c0cef524abb694c0c5.zip
rootless: do not set setgroups to deny when using newuidmap
It is required only when directly configuring the user namespace. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> Closes: #1200 Approved by: rhatdan
Diffstat (limited to 'pkg')
-rw-r--r--pkg/rootless/rootless_linux.go12
1 files changed, 6 insertions, 6 deletions
diff --git a/pkg/rootless/rootless_linux.go b/pkg/rootless/rootless_linux.go
index 3d6402040..d34782171 100644
--- a/pkg/rootless/rootless_linux.go
+++ b/pkg/rootless/rootless_linux.go
@@ -95,12 +95,6 @@ func BecomeRootInUserNS() (bool, int, error) {
return false, -1, errors.Errorf("cannot re-exec process")
}
- setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
- err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666)
- if err != nil {
- return false, -1, errors.Wrapf(err, "cannot write setgroups file")
- }
-
var uids, gids []idtools.IDMap
username := os.Getenv("USER")
mappings, err := idtools.NewIDMappings(username, username)
@@ -117,6 +111,12 @@ func BecomeRootInUserNS() (bool, int, error) {
uidsMapped = tryMappingTool("newuidmap", pid, os.Getuid(), uids) == nil
}
if !uidsMapped {
+ setgroups := fmt.Sprintf("/proc/%d/setgroups", pid)
+ err = ioutil.WriteFile(setgroups, []byte("deny\n"), 0666)
+ if err != nil {
+ return false, -1, errors.Wrapf(err, "cannot write setgroups file")
+ }
+
uidMap := fmt.Sprintf("/proc/%d/uid_map", pid)
err = ioutil.WriteFile(uidMap, []byte(fmt.Sprintf("%d %d 1\n", 0, os.Getuid())), 0666)
if err != nil {