From a464f70abe35376634a0cc41eacf00f760537cb9 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Sun, 30 Aug 2020 16:26:07 +0200 Subject: [PATCH] Unbreak 'sudo' inside toolbox containers with Podman 2.0.5 Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as "/" and the shell is /bin/sh. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 https://github.com/containers/podman/pull/6829 https://github.com/containers/toolbox/issues/523 --- README.md | 1 + src/cmd/initContainer.go | 83 +++++++++++++++++++++++++++------------- 2 files changed, 58 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index 611ae0709..72996dbb6 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ Tools: * `touch(1)` * `unlink(1)` * `useradd(8)` +* `usermod(8)` Paths: * `/etc/host.conf`: optional, if present not a bind mount diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go index 8a9ea3912..2abf58306 100644 --- a/src/cmd/initContainer.go +++ b/src/cmd/initContainer.go @@ -233,26 +233,35 @@ func initContainer(cmd *cobra.Command, args []string) error { } } - if _, err := user.Lookup(initContainerFlags.user); err != nil { + if targetUser, err := user.Lookup(initContainerFlags.user); err != nil { if err := configureUser(initContainerFlags.home, initContainerFlags.shell, initContainerFlags.uid, initContainerFlags.user, - initContainerFlags.homeLink); err != nil { + initContainerFlags.homeLink, + false); err != nil { return err } + } else if targetUser.HomeDir != initContainerFlags.home { + if err := configureUser(initContainerFlags.home, + initContainerFlags.shell, + initContainerFlags.uid, + initContainerFlags.user, + initContainerFlags.homeLink, + true); err != nil { + return err + } - logrus.Debugf("Removing password for user %s", initContainerFlags.user) + logrus.Debugf("Removing password for user %s", initContainerFlags.user) - if err := shell.Run("passwd", nil, nil, nil, "--delete", initContainerFlags.user); err != nil { - return fmt.Errorf("failed to remove password for user %s", initContainerFlags.user) - } + if err := shell.Run("passwd", nil, nil, nil, "--delete", initContainerFlags.user); err != nil { + return fmt.Errorf("failed to remove password for user %s", initContainerFlags.user) + } - logrus.Debug("Removing password for user root") + logrus.Debug("Removing password for user root") - if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil { - return errors.New("failed to remove password for root") - } + if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil { + return errors.New("failed to remove password for root") } if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") { @@ -347,7 +356,7 @@ func initContainerHelp(cmd *cobra.Command, args []string) { } } -func configureUser(home, shell, uid, user string, homeLink bool) error { +func configureUser(home, shell, uid, user string, homeLink, userExists bool) error { if homeLink { if err := redirectPath("/home", "/var/home", true); err != nil { return err @@ -359,24 +368,46 @@ func configureUser(home, shell, uid, user string, homeLink bool) error { return fmt.Errorf("failed to get group for sudo: %w", err) } - logrus.Debugf("Adding user %s with UID %d:", user, uid) + if userExists { + logrus.Debugf("Modifying user %s with UID %d:", user, uid) - useraddArgs := []string{ - "--groups", sudoGroup, - "--home-dir", home, - "--no-create-home", - "--shell", shell, - "--uid", fmt.Sprint(uid), - user, - } + usermodArgs := []string{ + "--append", + "--groups", sudoGroup, + "--home", home, + "--shell", shell, + "--uid", fmt.Sprint(uid), + user, + } - logrus.Debug("useradd") - for _, arg := range useraddArgs { - logrus.Debugf("%s", arg) - } + logrus.Debug("usermod") + for _, arg := range usermodArgs { + logrus.Debugf("%s", arg) + } - if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { - return fmt.Errorf("failed to add user %s with UID %d", user, uid) + if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil { + return fmt.Errorf("failed to modify user %s with UID %d", user, uid) + } + } else { + logrus.Debugf("Adding user %s with UID %d:", user, uid) + + useraddArgs := []string{ + "--groups", sudoGroup, + "--home-dir", home, + "--no-create-home", + "--shell", shell, + "--uid", fmt.Sprint(uid), + user, + } + + logrus.Debug("useradd") + for _, arg := range useraddArgs { + logrus.Debugf("%s", arg) + } + + if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { + return fmt.Errorf("failed to add user %s with UID %d", user, uid) + } } return nil