Skip to content

Commit

Permalink
container, exec: honor process user's uid while setting HOME env
Browse files Browse the repository at this point in the history
If spec contains `process: { user: uid, ...` always honor spec while
performing `exec` and configuring `HOME` env variable.

So `set_home_env` must use `process->user->uid` instead of `container_uid`.
PR also adds a test to verify if we don't regress this in future.

Closes: containers#924

Signed-off-by: Aditya R <[email protected]>
  • Loading branch information
flouthoc committed May 23, 2022
1 parent 7077fa1 commit ec9ab49
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 1 deletion.
2 changes: 1 addition & 1 deletion src/libcrun/container.c
Original file line number Diff line number Diff line change
Expand Up @@ -3126,7 +3126,7 @@ exec_process_entrypoint (libcrun_context_t *context,

if (getenv ("HOME") == NULL)
{
ret = set_home_env (container->container_uid);
ret = set_home_env (container_uid);
if (UNLIKELY (ret < 0 && errno != ENOTSUP))
{
setenv ("HOME", "/", 1);
Expand Down
42 changes: 42 additions & 0 deletions tests/test_exec.py
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,47 @@ def test_exec_additional_gids():
shutil.rmtree(tempdir)
return 0

def test_exec_populate_home_env_from_process_uid():
if is_rootless():
return 77
conf = base_config()
conf['process']['args'] = ['/init', 'pause']
add_all_namespaces(conf)
cid = None
tempdir = tempfile.mkdtemp()
try:
_, cid = run_and_get_output(conf, command='run', detach=True)

process_file = os.path.join(tempdir, "process.json")
with open(process_file, "w") as f:
json.dump({
"user": {
"uid": 1000,
"gid": 1000,
"additionalGids": [1000]
},
"terminal": False,
"args": [
"/init",
"printenv",
"HOME"
],
"env": [
"PATH=/bin",
"TERM=xterm"
],
"cwd": "/",
"noNewPrivileges": True
}, f)
out = run_crun_command(["exec", "--process", process_file, cid])
if "/var/empty" not in out:
return -1
finally:
if cid is not None:
run_crun_command(["delete", "-f", cid])
shutil.rmtree(tempdir)
return 0

def test_exec_add_capability():
"""Specify an additional capability to add to the process"""
conf = base_config()
Expand Down Expand Up @@ -306,6 +347,7 @@ def test_exec_write_pid_file():
"exec-set-user-with-uid-gid" : test_exec_set_user,
"exec_add_no_new_privileges" : test_exec_no_new_privs,
"exec_write_pid_file" : test_exec_write_pid_file,
"exec_populate_home_env_from_process_uid" : test_exec_populate_home_env_from_process_uid,
}

if __name__ == "__main__":
Expand Down
6 changes: 6 additions & 0 deletions tests/tests_utils.py
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,12 @@ def run_and_get_output(config, detach=False, preserve_fds=None, pid_file=None,
os.symlink("../usr/share/zoneinfo/Europe/Rome", os.path.join(rootfs, "etc/localtime"))
os.symlink("../foo/bar/not/here", os.path.join(rootfs, "etc/not-existing"))

# Populate /etc/passwd inside container rootfs with users root and test for various test-cases.
passwd = open(os.path.join(rootfs, "usr/share/passwd"), "w")
passwd.writelines(["root:x:0:0:root:/root:/bin/bash", "\ntest:x:1000:1000:test:/var/empty:/bin/bash"])
passwd.close()
os.symlink("../usr/share/passwd", os.path.join(rootfs, "etc/passwd"))

if chown_rootfs_to is not None:
os.chown(temp_dir, chown_rootfs_to, chown_rootfs_to)
for root, dirs, files in os.walk(temp_dir):
Expand Down

0 comments on commit ec9ab49

Please sign in to comment.