From 20ce6e5c6031bd4180514ec412760a294f8a83a2 Mon Sep 17 00:00:00 2001 From: cdoern Date: Mon, 20 Dec 2021 10:23:08 -0500 Subject: Podman run --passwd added support for a new flag --passwd which, when false prohibits podman from creating entries in /etc/passwd and /etc/groups allowing users to modify those files in the container entrypoint resolves #11805 Signed-off-by: cdoern --- pkg/specgen/generate/container_create.go | 3 +++ pkg/specgen/specgen.go | 2 ++ 2 files changed, 5 insertions(+) (limited to 'pkg/specgen') diff --git a/pkg/specgen/generate/container_create.go b/pkg/specgen/generate/container_create.go index 331c9393a..7d8ef576a 100644 --- a/pkg/specgen/generate/container_create.go +++ b/pkg/specgen/generate/container_create.go @@ -482,5 +482,8 @@ func createContainerOptions(ctx context.Context, rt *libpod.Runtime, s *specgen. if s.PidFile != "" { options = append(options, libpod.WithPidFile(s.PidFile)) } + + options = append(options, libpod.WithSelectedPasswordManagement(s.Passwd)) + return options, nil } diff --git a/pkg/specgen/specgen.go b/pkg/specgen/specgen.go index e650c1966..5a1cc1144 100644 --- a/pkg/specgen/specgen.go +++ b/pkg/specgen/specgen.go @@ -201,6 +201,8 @@ type ContainerBasicConfig struct { // UnsetEnvAll unsets all default environment variables from the image or from buildin // Optional. UnsetEnvAll bool `json:"unsetenvall,omitempty"` + // Passwd is a container run option that determines if we are validating users/groups before running the container + Passwd *bool `json:"manage_password,omitempty"` } // ContainerStorageConfig contains information on the storage configuration of a -- cgit v1.2.3-54-g00ecf