From 720eb85ba55d8c825262e9b2e058ec8a8e0e4d9f Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 23 Aug 2018 23:02:04 +0200 Subject: rootless: fix exec We cannot re-exec into a new user namespace to gain privileges and access an existing as the new namespace is not the owner of the existing container. "unshare" is used to join the user namespace of the target container. The current implementation assumes that the main process of the container didn't create a new user namespace. Since in the setup phase we are not running with euid=0, we must skip the setup for containers/storage. Closes: https://github.com/containers/libpod/issues/1329 Signed-off-by: Giuseppe Scrivano Closes: #1331 Approved by: rhatdan --- test/e2e/rootless_test.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'test/e2e/rootless_test.go') diff --git a/test/e2e/rootless_test.go b/test/e2e/rootless_test.go index f77ad9924..8813d040d 100644 --- a/test/e2e/rootless_test.go +++ b/test/e2e/rootless_test.go @@ -102,6 +102,19 @@ var _ = Describe("Podman rootless", func() { cmd.WaitWithDefaultTimeout() Expect(cmd.LineInOutputContains("hello")).To(BeTrue()) Expect(cmd.ExitCode()).To(Equal(0)) + + allArgsD := append([]string{"run", "-d"}, args...) + allArgsD = append(allArgsD, "--rootfs", mountPath, "sleep", "1d") + cmd = podmanTest.PodmanAsUser(allArgsD, 1000, 1000, env) + cmd.WaitWithDefaultTimeout() + Expect(cmd.ExitCode()).To(Equal(0)) + cid := cmd.OutputToStringArray()[0] + + allArgsE := []string{"exec", cid, "echo", "hello"} + cmd = podmanTest.PodmanAsUser(allArgsE, 1000, 1000, env) + cmd.WaitWithDefaultTimeout() + Expect(cmd.ExitCode()).To(Equal(0)) + Expect(cmd.LineInOutputContains("hello")).To(BeTrue()) } runRootless(mountPath) -- cgit v1.2.3-54-g00ecf