2 files changed, 12 insertions, 8 deletions

diff --git a/libpod/container_api.go b/libpod/container_api.go
index 56947eb3a..5df7e2f0e 100644
--- a/libpod/container_api.go
+++ b/libpod/container_api.go
@@ -335,11 +335,7 @@ func (c *Container) Exec(tty, privileged bool, env, cmd []string, user string) e
 
 	execCmd, err := c.runtime.ociRuntime.execContainer(c, cmd, capList, env, tty, hostUser, sessionID)
 	if err != nil {
-		return errors.Wrapf(err, "error creating exec command for container %s", c.ID())
-	}
-
-	if err := execCmd.Start(); err != nil {
-		return errors.Wrapf(err, "error starting exec command for container %s", c.ID())
+		return errors.Wrapf(err, "error exec %s", c.ID())
 	}
 
 	pidFile := c.execPidPath(sessionID)
diff --git a/libpod/oci.go b/libpod/oci.go
index da054eceb..4f0fbe8e9 100644
--- a/libpod/oci.go
+++ b/libpod/oci.go
@@ -682,15 +682,23 @@ func (r *OCIRuntime) execContainer(c *Container, cmd, capAdd, env []string, tty
 
 	execCmd := exec.Command(r.path, args...)
 	if rootless.IsRootless() {
-		args = append([]string{"--preserve-credentials", "-U", "-t", fmt.Sprintf("%d", c.state.PID), r.path}, args...)
-		// using nsenter might not be correct if the target PID joined a different user namespace.
-		// A better way would be to retrieve the parent ns (NS_GET_PARENT) until it is a child of the current namespace.
+		args = append([]string{"--preserve-credentials", "--user=/proc/self/fd/3", r.path}, args...)
+		f, err := rootless.GetUserNSForPid(uint(c.state.PID))
+		if err != nil {
+			return nil, err
+		}
 		execCmd = exec.Command("nsenter", args...)
+		execCmd.ExtraFiles = append(execCmd.ExtraFiles, f)
 	}
 	execCmd.Stdout = os.Stdout
 	execCmd.Stderr = os.Stderr
 	execCmd.Stdin = os.Stdin
 	execCmd.Env = append(execCmd.Env, fmt.Sprintf("XDG_RUNTIME_DIR=%s", runtimeDir))
+
+	if err := execCmd.Start(); err != nil {
+		return nil, errors.Wrapf(err, "cannot start container %s", c.ID())
+	}
+
 	return execCmd, nil
 }