File 0001-Add-container-GID-to-additional-groups.patch of Package podman.26105

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Add-container-GID-to-additional-groups.patch of Package podman.26105

From f212558e2851f05256ae779fae9b9cf4ce33fce0 Mon Sep 17 00:00:00 2001
From: Matthew Heon <mheon@redhat.com>
Date: Fri, 2 Sep 2022 13:40:29 -0400
Subject: [PATCH] Add container GID to additional groups

Mitigates a potential permissions issue. Mirrors Buildah PR #4200
and CRI-O PR #6159.

Signed-off-by: Matthew Heon <mheon@redhat.com>
(cherry picked from commit d82a41687e614d9ac8b2d169dee47fe226835e4c)
---
 libpod/container_internal_linux.go |  1 +
 pkg/specgen/namespaces.go          |  1 +
 test/e2e/run_test.go               | 14 +++++++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/libpod/container_internal_linux.go b/libpod/container_internal_linux.go
index eb05ca423..b63c7fe77 100644
--- a/libpod/container_internal_linux.go
+++ b/libpod/container_internal_linux.go
@@ -500,6 +500,7 @@ func (c *Container) generateSpec(ctx context.Context) (*spec.Spec, error) {
 		// User and Group must go together
 		g.SetProcessUID(uint32(execUser.Uid))
 		g.SetProcessGID(uint32(execUser.Gid))
+		g.AddProcessAdditionalGid(uint32(execUser.Gid))
 	}
 
 	if c.config.Umask != "" {
diff --git a/pkg/specgen/namespaces.go b/pkg/specgen/namespaces.go
index 2f4c48811..ad7fb9074 100644
--- a/pkg/specgen/namespaces.go
+++ b/pkg/specgen/namespaces.go
@@ -363,6 +363,7 @@ func SetupUserNS(idmappings *storage.IDMappingOptions, userns Namespace, g *gene
 		idmappings = mappings
 		g.SetProcessUID(uint32(uid))
 		g.SetProcessGID(uint32(gid))
+		g.AddProcessAdditionalGid(uint32(gid))
 		user = fmt.Sprintf("%d:%d", uid, gid)
 		fallthrough
 	case Private:
diff --git a/test/e2e/run_test.go b/test/e2e/run_test.go
index 96d6d1425..e675025a7 100644
--- a/test/e2e/run_test.go
+++ b/test/e2e/run_test.go
@@ -848,7 +848,7 @@ USER bin`, BB)
 		session := podmanTest.Podman([]string{"run", "--rm", "--user=1234", ALPINE, "id"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root)"))
+		Expect(session.OutputToString()).To(Equal("uid=1234(1234) gid=0(root) groups=0(root)"))
 	})
 
 	It("podman run with user (integer, in /etc/passwd)", func() {
@@ -869,14 +869,14 @@ USER bin`, BB)
 		session := podmanTest.Podman([]string{"run", "--rm", "--user=mail:21", ALPINE, "id"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
+		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
 	})
 
 	It("podman run with user:group (integer:groupname)", func() {
 		session := podmanTest.Podman([]string{"run", "--rm", "--user=8:ftp", ALPINE, "id"})
 		session.WaitWithDefaultTimeout()
 		Expect(session).Should(Exit(0))
-		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp)"))
+		Expect(session.OutputToString()).To(Equal("uid=8(mail) gid=21(ftp) groups=21(ftp)"))
 	})
 
 	It("podman run with user, verify caps dropped", func() {
@@ -887,6 +887,14 @@ USER bin`, BB)
 		Expect("0000000000000000").To(Equal(capEff[1]))
 	})
 
+	It("podman run with user, verify group added", func() {
+		session := podmanTest.Podman([]string{"run", "--rm", "--user=1000:1000", ALPINE, "grep", "Groups:", "/proc/self/status"})
+		session.WaitWithDefaultTimeout()
+		Expect(session).Should(Exit(0))
+		groups := strings.Split(session.OutputToString(), " ")[1]
+		Expect("1000").To(Equal(groups))
+	})
+
 	It("podman run with attach stdin outputs container ID", func() {
 		session := podmanTest.Podman([]string{"run", "--attach", "stdin", ALPINE, "printenv"})
 		session.WaitWithDefaultTimeout()
-- 
2.37.3

Places

File 0001-Add-container-GID-to-additional-groups.patch of Package podman.26105

Places