From 3edaa174e8bc22f57818a69b284b7535dd99a657 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 21 Jul 2022 09:44:20 +0200 Subject: libpod: create /etc/passwd if missing create the /etc/passwd and /etc/group files if they are missing in the image. Closes: https://github.com/containers/podman/issues/14966 Signed-off-by: Giuseppe Scrivano --- libpod/container_internal_linux.go | 41 ++------------------------------------ test/e2e/run_passwd_test.go | 7 ++++++- 2 files changed, 8 insertions(+), 40 deletions(-) diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go index 46e525add..a131ab367 100644 --- a/libpod/container_internal_linux.go +++ b/libpod/container_internal_linux.go @@ -2886,23 +2886,6 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) { } } - // Next, check if the container even has a /etc/passwd or /etc/group. - // If it doesn't we don't want to create them ourselves. - if needPasswd { - exists, err := c.checkFileExistsInRootfs("/etc/passwd") - if err != nil { - return "", "", err - } - needPasswd = exists - } - if needGroup { - exists, err := c.checkFileExistsInRootfs("/etc/group") - if err != nil { - return "", "", err - } - needGroup = exists - } - // If we don't need a /etc/passwd or /etc/group at this point we can // just return. if !needPasswd && !needGroup { @@ -2947,7 +2930,7 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) { return "", "", fmt.Errorf("error looking up location of container %s /etc/passwd: %w", c.ID(), err) } - f, err := os.OpenFile(containerPasswd, os.O_APPEND|os.O_WRONLY, 0600) + f, err := os.OpenFile(containerPasswd, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600) if err != nil { return "", "", fmt.Errorf("container %s: %w", c.ID(), err) } @@ -2993,7 +2976,7 @@ func (c *Container) generatePasswdAndGroup() (string, string, error) { return "", "", fmt.Errorf("error looking up location of container %s /etc/group: %w", c.ID(), err) } - f, err := os.OpenFile(containerGroup, os.O_APPEND|os.O_WRONLY, 0600) + f, err := os.OpenFile(containerGroup, os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0600) if err != nil { return "", "", fmt.Errorf("container %s: %w", c.ID(), err) } @@ -3112,26 +3095,6 @@ func (c *Container) cleanupOverlayMounts() error { return overlay.CleanupContent(c.config.StaticDir) } -// Check if a file exists at the given path in the container's root filesystem. -// Container must already be mounted for this to be used. -func (c *Container) checkFileExistsInRootfs(file string) (bool, error) { - checkPath, err := securejoin.SecureJoin(c.state.Mountpoint, file) - if err != nil { - return false, fmt.Errorf("cannot create path to container %s file %q: %w", c.ID(), file, err) - } - stat, err := os.Stat(checkPath) - if err != nil { - if os.IsNotExist(err) { - return false, nil - } - return false, fmt.Errorf("container %s: %w", c.ID(), err) - } - if stat.IsDir() { - return false, nil - } - return true, nil -} - // Creates and mounts an empty dir to mount secrets into, if it does not already exist func (c *Container) createSecretMountDir() error { src := filepath.Join(c.state.RunDir, "/run/secrets") diff --git a/test/e2e/run_passwd_test.go b/test/e2e/run_passwd_test.go index 411e12218..20a6ee3b1 100644 --- a/test/e2e/run_passwd_test.go +++ b/test/e2e/run_passwd_test.go @@ -66,10 +66,15 @@ RUN rm -f /etc/passwd /etc/shadow /etc/group USER 1000`, ALPINE) imgName := "testimg" podmanTest.BuildImage(dockerfile, imgName, "false") - session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"}) + session := podmanTest.Podman([]string{"run", "--passwd=false", "--rm", imgName, "ls", "/etc/"}) session.WaitWithDefaultTimeout() Expect(session).Should(Exit(0)) Expect(session.OutputToString()).To(Not(ContainSubstring("passwd"))) + + // test that the /etc/passwd file is created + session = podmanTest.Podman([]string{"run", "--rm", "--user", "0:0", imgName, "ls", "/etc/passwd"}) + session.WaitWithDefaultTimeout() + Expect(session).Should(Exit(0)) }) It("podman run with no user specified does not change --group specified", func() { -- cgit v1.2.3-54-g00ecf