Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make an entry in /etc/group when we modify /etc/passwd #7541

Merged
merged 1 commit into from
Sep 10, 2020

Conversation

mheon
Copy link
Member

@mheon mheon commented Sep 4, 2020

To ensure that the user running in the container ahs a valid entry in /etc/passwd so lookup functions for the current user will not error, Podman previously began adding entries to the passwd file. We did not, however, add entries to the group file, and this created problems - our passwd entries included the group the user is in, but said group might not exist. The solution is to mirror our logic for /etc/passwd modifications to also edit /etc/group in the container.

Unfortunately, this is not a catch-all solution. Our logic here is only advanced enough to add to the group file - so if the group already exists but we add a user not a part of it, we will not modify that existing entry, and things remain inconsistent. We can look into adding this later if we absolutely need to, but it would involve adding significant complexity to this already massively complicated function.

While we're here, address an edge case where Podman could add a user or group whose UID overlapped with an existing user or group.

Fixes #7503
Fixes #7389

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mheon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 4, 2020
@mheon
Copy link
Member Author

mheon commented Sep 4, 2020

Still needs tests

@mheon mheon force-pushed the modify_group branch 3 times, most recently from 56a4a50 to 9870b5d Compare September 4, 2020 19:20
@rhatdan
Copy link
Member

rhatdan commented Sep 5, 2020

We need e2e and/or system tests for this as well, to verify that we handle the situations correctly.

Group Name added to container (--keep-id and --user=1234)
--read-only
Group Name exists in container
/etc/group does not exist in container

@mheon
Copy link
Member Author

mheon commented Sep 9, 2020

Tests added, and converted to fix #7499 as well (generate a * instead of x for passwd entries).

}

// Check if the group already exists
_, err = lookup.GetGroup(c.state.Mountpoint, group)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit can you do this on one line.
if _, err := lookup.GetGroup(c.state.Mountpoint, group); err !=nil {
...
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nits still there

@mheon mheon force-pushed the modify_group branch 4 times, most recently from d457cba to 099feb5 Compare September 9, 2020 21:41
@mheon
Copy link
Member Author

mheon commented Sep 10, 2020

Ah, silly me, grepping for group is always going to succeed because of the cgroups mount. I'll swap to /etc/group instead.

To ensure that the user running in the container ahs a valid
entry in /etc/passwd so lookup functions for the current user
will not error, Podman previously began adding entries to the
passwd file. We did not, however, add entries to the group file,
and this created problems - our passwd entries included the group
the user is in, but said group might not exist. The solution is
to mirror our logic for /etc/passwd modifications to also edit
/etc/group in the container.

Unfortunately, this is not a catch-all solution. Our logic here
is only advanced enough to *add* to the group file - so if the
group already exists but we add a user not a part of it, we will
not modify that existing entry, and things remain inconsistent.
We can look into adding this later if we absolutely need to, but
it would involve adding significant complexity to this already
massively complicated function.

While we're here, address an edge case where Podman could add a
user or group whose UID overlapped with an existing user or
group.

Also, let's make users able to log into users we added. Instead
of generating user entries with an 'x' in the password field,
indicating they have an entry in /etc/shadow, generate a '*'
indicating the user has no password but can be logged into by
other means e.g. ssh key, su.

Fixes containers#7503
Fixes containers#7389
Fixes containers#7499

Signed-off-by: Matthew Heon <[email protected]>
@mheon
Copy link
Member Author

mheon commented Sep 10, 2020

This is starting to go green.

@rhatdan
Copy link
Member

rhatdan commented Sep 10, 2020

@TomSweeneyRedHat
Copy link
Member

LGTM

1 similar comment
@QiWang19
Copy link
Contributor

LGTM

@rhatdan
Copy link
Member

rhatdan commented Sep 10, 2020

/lgtm

@openshift-ci-robot openshift-ci-robot added the lgtm Indicates that a PR is ready to be merged. label Sep 10, 2020
@openshift-merge-robot openshift-merge-robot merged commit 861451a into containers:master Sep 10, 2020
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 24, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 24, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
6 participants