mirror of
https://github.com/containers/podman
synced 2024-10-19 00:34:18 +00:00
rootless: always create userns with euid != 0
always create a user namespace when running with euid != 0 since the user is not owning the current mount namespace. This issue happened on a Kubernetes cluster, where the pod was running privileged but the UID was not 0, as it was configured in the image itself. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
This commit is contained in:
parent
90719d38f7
commit
1bac160960
|
@ -420,13 +420,14 @@ func makeRuntime(runtime *Runtime) (retErr error) {
|
|||
}
|
||||
logrus.Debugf("Set libpod namespace to %q", runtime.config.Engine.Namespace)
|
||||
|
||||
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
|
||||
if err != nil {
|
||||
return err
|
||||
needsUserns := os.Geteuid() != 0
|
||||
if !needsUserns {
|
||||
hasCapSysAdmin, err := unshare.HasCapSysAdmin()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
needsUserns = !hasCapSysAdmin
|
||||
}
|
||||
|
||||
needsUserns := !hasCapSysAdmin
|
||||
|
||||
// Set up containers/storage
|
||||
var store storage.Store
|
||||
if needsUserns {
|
||||
|
|
|
@ -172,7 +172,7 @@ func joinUserAndMountNS(pid uint, pausePid string) (bool, int, error) {
|
|||
if err != nil {
|
||||
return false, 0, err
|
||||
}
|
||||
if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
|
||||
if (os.Geteuid() == 0 && hasCapSysAdmin) || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
|
||||
return false, 0, nil
|
||||
}
|
||||
|
||||
|
@ -248,7 +248,7 @@ func becomeRootInUserNS(pausePid, fileToRead string, fileOutput *os.File) (_ boo
|
|||
return false, 0, err
|
||||
}
|
||||
|
||||
if hasCapSysAdmin || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
|
||||
if (os.Geteuid() == 0 && hasCapSysAdmin) || os.Getenv("_CONTAINERS_USERNS_CONFIGURED") != "" {
|
||||
if os.Getenv("_CONTAINERS_USERNS_CONFIGURED") == "init" {
|
||||
return false, 0, runInUser()
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue