Unbreak 'sudo' inside toolbox containers with Podman 2.0.5

Since Podman 2.0.5, containers that were created with 'podman create --userns=keep-id ...' automatically get the user added to /etc/passwd [1]. However, this user isn't as fully configured as it needs to be. The home directory is specified as "/" and the shell is /bin/sh. Therefore, the entry point needs to call usermod(8) to update the user, instead of using useradd(8) to create it. [1] Podman commit 6c6670f12a3e6b91 containers/podman#6829 containers#523
debarshiray · Aug 30, 2020 · a464f70 · a464f70
1 parent 1ac485f
commit a464f70
Show file tree

Hide file tree

Showing 2 changed files with 58 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -161,6 +161,7 @@ Tools:
 * `touch(1)`
 * `unlink(1)`
 * `useradd(8)`
+* `usermod(8)`
 
 Paths:
 * `/etc/host.conf`: optional, if present not a bind mount

diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
@@ -233,26 +233,35 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}
 
-	if _, err := user.Lookup(initContainerFlags.user); err != nil {
+	if targetUser, err := user.Lookup(initContainerFlags.user); err != nil {
 		if err := configureUser(initContainerFlags.home,
 			initContainerFlags.shell,
 			initContainerFlags.uid,
 			initContainerFlags.user,
-			initContainerFlags.homeLink); err != nil {
+			initContainerFlags.homeLink,
+			false); err != nil {
 			return err
 		}
+	} else if targetUser.HomeDir != initContainerFlags.home {
+		if err := configureUser(initContainerFlags.home,
+			initContainerFlags.shell,
+			initContainerFlags.uid,
+			initContainerFlags.user,
+			initContainerFlags.homeLink,
+			true); err != nil {
+			return err
+	}
 
-		logrus.Debugf("Removing password for user %s", initContainerFlags.user)
+	logrus.Debugf("Removing password for user %s", initContainerFlags.user)
 
-		if err := shell.Run("passwd", nil, nil, nil, "--delete", initContainerFlags.user); err != nil {
-			return fmt.Errorf("failed to remove password for user %s", initContainerFlags.user)
-		}
+	if err := shell.Run("passwd", nil, nil, nil, "--delete", initContainerFlags.user); err != nil {
+		return fmt.Errorf("failed to remove password for user %s", initContainerFlags.user)
+	}
 
-		logrus.Debug("Removing password for user root")
+	logrus.Debug("Removing password for user root")
 
-		if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil {
-			return errors.New("failed to remove password for root")
-		}
+	if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil {
+		return errors.New("failed to remove password for root")
 	}
 
 	if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") {
@@ -347,7 +356,7 @@ func initContainerHelp(cmd *cobra.Command, args []string) {
 	}
 }
 
-func configureUser(home, shell, uid, user string, homeLink bool) error {
+func configureUser(home, shell, uid, user string, homeLink, userExists bool) error {
 	if homeLink {
 		if err := redirectPath("/home", "/var/home", true); err != nil {
 			return err
@@ -359,24 +368,46 @@ func configureUser(home, shell, uid, user string, homeLink bool) error {
 		return fmt.Errorf("failed to get group for sudo: %w", err)
 	}
 
-	logrus.Debugf("Adding user %s with UID %d:", user, uid)
+	if userExists {
+		logrus.Debugf("Modifying user %s with UID %d:", user, uid)
 
-	useraddArgs := []string{
-		"--groups", sudoGroup,
-		"--home-dir", home,
-		"--no-create-home",
-		"--shell", shell,
-		"--uid", fmt.Sprint(uid),
-		user,
-	}
+		usermodArgs := []string{
+			"--append",
+			"--groups", sudoGroup,
+			"--home", home,
+			"--shell", shell,
+			"--uid", fmt.Sprint(uid),
+			user,
+		}
 
-	logrus.Debug("useradd")
-	for _, arg := range useraddArgs {
-		logrus.Debugf("%s", arg)
-	}
+		logrus.Debug("usermod")
+		for _, arg := range usermodArgs {
+			logrus.Debugf("%s", arg)
+		}
 
-	if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil {
-		return fmt.Errorf("failed to add user %s with UID %d", user, uid)
+		if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil {
+			return fmt.Errorf("failed to modify user %s with UID %d", user, uid)
+		}
+	} else {
+		logrus.Debugf("Adding user %s with UID %d:", user, uid)
+
+		useraddArgs := []string{
+			"--groups", sudoGroup,
+			"--home-dir", home,
+			"--no-create-home",
+			"--shell", shell,
+			"--uid", fmt.Sprint(uid),
+			user,
+		}
+
+		logrus.Debug("useradd")
+		for _, arg := range useraddArgs {
+			logrus.Debugf("%s", arg)
+		}
+
+		if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil {
+			return fmt.Errorf("failed to add user %s with UID %d", user, uid)
+		}
 	}
 
 	return nil