From b3ec3c97e47906799a6472cc104d0e234669b20b Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 24 Nov 2023 13:19:56 +0100 Subject: [PATCH] system: enhance check for re-exec into rootless userns Previously, the setup only checked for the CAP_SYS_ADMIN capability, which could be not enough with containerized Podman where CAP_SYS_ADMIN might be set for an unprivileged user. Closes: https://github.com/containers/podman/issues/20766 [NO NEW TESTS NEEDED] needs containerized Podman Signed-off-by: Giuseppe Scrivano --- pkg/domain/infra/abi/system.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/domain/infra/abi/system.go b/pkg/domain/infra/abi/system.go index f212de5ba9..95bf5d38ca 100644 --- a/pkg/domain/infra/abi/system.go +++ b/pkg/domain/infra/abi/system.go @@ -87,7 +87,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool) if err != nil { return err } - if hasCapSysAdmin { + // check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set. + if os.Geteuid() == 0 && hasCapSysAdmin { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() if err != nil { logrus.Infof("Failed to detect the owner for the current cgroup: %v", err)