-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
process capabilities for run / exec are inconsistent when --userns=keep-id is set #9919
Labels
In Progress
This issue is actively being worked by the assignee, please do not work on this at this time.
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Comments
openshift-ci-robot
added
the
kind/bug
Categorizes issue or PR as related to a bug.
label
Apr 1, 2021
We don't retain |
Found it. |
mheon
added
the
In Progress
This issue is actively being worked by the assignee, please do not work on this at this time.
label
Apr 5, 2021
mheon
added a commit
to mheon/libpod
that referenced
this issue
Apr 6, 2021
One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes containers#9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
mheon
added a commit
to mheon/libpod
that referenced
this issue
Apr 16, 2021
One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes containers#9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
jmguzik
pushed a commit
to jmguzik/podman
that referenced
this issue
Apr 26, 2021
One of the side-effects of the `--userns=keep-id` command is switching the default user of the container to the UID of the user running Podman (though this can still be overridden by the `--user` flag). However, it did this by setting the UID and GID in the OCI spec, and not by informing Libpod of its intention to switch users via the `WithUser()` option. Because of this, a lot of the code that should have triggered when the container ran with a non-root user was not triggering. In the case of the issue that this fixed, the code to remove capabilities from non-root users was not triggering. Adjust the keep-id code to properly inform Libpod of our intention to use a non-root user to fix this. Also, fix an annoying race around short-running exec sessions where Podman would always print a warning that the exec session had already stopped. Fixes containers#9919 Signed-off-by: Matthew Heon <matthew.heon@pm.me>
github-actions
bot
added
the
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
label
Sep 22, 2023
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
In Progress
This issue is actively being worked by the assignee, please do not work on this at this time.
kind/bug
Categorizes issue or PR as related to a bug.
locked - please file new issue/PR
Assist humans wanting to comment on an old issue or PR with locked comments.
Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)
/kind bug
Description
When running a container in rootless mode with
--userns=keep-id
the capabilities are dropped as expected:However, If I run a container in the background:
and
exec
another command in the same container, the UID seems to be mapped correctly but the capabilities are not dropped by default:To fix this I need to specify the
--user
option explicitly even though the UID is already mapped via--userns=keep-id
Steps to reproduce the issue:
as above
Describe the results you received:
Process capabilities are different for
podman run
andpodman exec
commands.Describe the results you expected:
podman exec
should drop the capabilities for the user process by default if--userns=keep-id
was set.Output of
podman version
:The text was updated successfully, but these errors were encountered: