initContainer: Restructure user initialiation

When a newly created container has already the current user created inside of it then the user initialization section of command 'init-container' is not triggered. The user init section currently takes care of: 1) symlinking /home to /var/home if called with option --home-link 2a) creating user set by --user, --uid, --home and --shell 2b) adds the user to the sudoers group (either sudo or wheel) 3) removes password of user and of root This commit does the following: - moves 1) before the user init section and makes calling it conditional depending on /home being a symlink or not - moves 3) after the user init section and depending on the output of 'passwd --status' (that is expected to be NP; more in 'man passwd(1)') calls the said sections containers#533
HarryMichal · Aug 20, 2020 · f14771a · f14771a
1 parent 464ea7c
commit f14771a
Showing 1 changed file with 21 additions and 4 deletions.
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
@@ -114,6 +114,8 @@ func init() {
 }
 
 func initContainer(cmd *cobra.Command, args []string) error {
+	var stdout strings.Builder
+
 	if !utils.IsInsideContainer() {
 		var builder strings.Builder
 		fmt.Fprintf(&builder, "the 'init-container' command can only be used inside containers\n")
@@ -232,20 +234,22 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if _, err := user.Lookup(initContainerFlags.user); err != nil {
-		if initContainerFlags.homeLink {
+	if initContainerFlags.homeLink {
+		if _, err := os.Readlink("/home"); err != nil {
 			if err := redirectPath("/home", "/var/home", true); err != nil {
 				return err
 			}
 		}
+	}
+
+	if _, err := user.Lookup(initContainerFlags.user); err != nil {
+		logrus.Debugf("Adding user %s with UID %d:", initContainerFlags.user, initContainerFlags.uid)
 
 		sudoGroup, err := utils.GetGroupForSudo()
 		if err != nil {
 			return fmt.Errorf("failed to add user %s: %s", initContainerFlags.user, err)
 		}
 
-		logrus.Debugf("Adding user %s with UID %d:", initContainerFlags.user, initContainerFlags.uid)
-
 		useraddArgs := []string{
 			"--home-dir", initContainerFlags.home,
 			"--no-create-home",
@@ -265,13 +269,26 @@ func initContainer(cmd *cobra.Command, args []string) error {
 				initContainerFlags.user,
 				initContainerFlags.uid)
 		}
+	}
 
+	if err := shell.Run("passwd", nil, &stdout, nil, "--status", initContainerFlags.user); err != nil {
+		return fmt.Errorf("failed to check password status of user %s: %w", initContainerFlags.user, err)
+	}
+	userPasswordStatus := strings.Split(stdout.String(), " ")[1]
+	if userPasswordStatus != "NP" {
 		logrus.Debugf("Removing password for user %s", initContainerFlags.user)
 
 		if err := shell.Run("passwd", nil, nil, nil, "--delete", initContainerFlags.user); err != nil {
 			return fmt.Errorf("failed to remove password for user %s", initContainerFlags.user)
 		}
+	}
+	stdout.Reset()
 
+	if err := shell.Run("passwd", nil, &stdout, nil, "--status", "root"); err != nil {
+		return fmt.Errorf("failed to check password status of root: %w", err)
+	}
+	rootPasswordStatus := strings.Split(stdout.String(), " ")[1]
+	if rootPasswordStatus != "NP" {
 		logrus.Debug("Removing password for user root")
 
 		if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil {