kotovalexarian-likes-github/moby--moby
1
0
Fork 0
mirror of https://github.com/moby/moby.git synced 2022-11-09 12:21:53 -05:00
Code Releases Activity
moby--moby/pkg/idtools/idtools_unix.go

296 lines
8.2 KiB
Go
Raw Normal View History

Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
// +build !windows
Add canonical import comment Signed-off-by: Daniel Nephin <dnephin@docker.com>
2018-02-05 16:05:59 -05:00
package idtools // import "github.com/docker/docker/pkg/idtools"
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
import (
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
"bytes"
"fmt"
"io"
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
"os"
"path/filepath"
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
"strconv"
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
"sync"
idtools.MkdirAs*: error out if dir exists as file Standard golang's `os.MkdirAll()` function returns "not a directory" error in case a directory to be created already exists but is not a directory (e.g. a file). Our own `idtools.MkdirAs*()` functions do not replicate the behavior. This is a bug since all `Mkdir()`-like functions are expected to ensure the required directory exists and is indeed a directory, and return an error otherwise. As the code is using our in-house `system.Stat()` call returning a type which is incompatible with that of golang's `os.Stat()`, I had to amend the `system` package with `IsDir()`. A test case is also provided. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-11-27 16:11:11 -05:00
"syscall"
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
"github.com/docker/docker/pkg/system"
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
"github.com/opencontainers/runc/libcontainer/user"
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
"github.com/pkg/errors"
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
)
var (
entOnce sync.Once
getentCmd string
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
)
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com>
2017-11-16 01:20:33 -05:00
func mkdirAs(path string, mode os.FileMode, owner Identity, mkAll, chownExisting bool) error {
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
// make an array containing the original path asked for, plus (for mkAll == true)
// all path components leading up to the complete path that don't exist before we MkdirAll
// so that we can chown all of them properly at the end. If chownExisting is false, we won't
// chown the full directory path if it exists
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com>
2017-11-16 01:20:33 -05:00
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
var paths []string
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
stat, err := system.Stat(path)
if err == nil {
idtools.MkdirAs*: error out if dir exists as file Standard golang's `os.MkdirAll()` function returns "not a directory" error in case a directory to be created already exists but is not a directory (e.g. a file). Our own `idtools.MkdirAs*()` functions do not replicate the behavior. This is a bug since all `Mkdir()`-like functions are expected to ensure the required directory exists and is indeed a directory, and return an error otherwise. As the code is using our in-house `system.Stat()` call returning a type which is incompatible with that of golang's `os.Stat()`, I had to amend the `system` package with `IsDir()`. A test case is also provided. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-11-27 16:11:11 -05:00
if !stat.IsDir() {
Simplify/fix MkdirAll usage This subtle bug keeps lurking in because error checking for `Mkdir()` and `MkdirAll()` is slightly different wrt to `EEXIST`/`IsExist`: - for `Mkdir()`, `IsExist` error should (usually) be ignored (unless you want to make sure directory was not there before) as it means "the destination directory was already there" - for `MkdirAll()`, `IsExist` error should NEVER be ignored. Mostly, this commit just removes ignoring the IsExist error, as it should not be ignored. Also, there are a couple of cases then IsExist is handled as "directory already exist" which is wrong. As a result, some code that never worked as intended is now removed. NOTE that `idtools.MkdirAndChown()` behaves like `os.MkdirAll()` rather than `os.Mkdir()` -- so its description is amended accordingly, and its usage is handled as such (i.e. IsExist error is not ignored). For more details, a quote from my runc commit 6f82d4b (July 2015): TL;DR: check for IsExist(err) after a failed MkdirAll() is both redundant and wrong -- so two reasons to remove it. Quoting MkdirAll documentation: > MkdirAll creates a directory named path, along with any necessary > parents, and returns nil, or else returns an error. If path > is already a directory, MkdirAll does nothing and returns nil. This means two things: 1. If a directory to be created already exists, no error is returned. 2. If the error returned is IsExist (EEXIST), it means there exists a non-directory with the same name as MkdirAll need to use for directory. Example: we want to MkdirAll("a/b"), but file "a" (or "a/b") already exists, so MkdirAll fails. The above is a theory, based on quoted documentation and my UNIX knowledge. 3. In practice, though, current MkdirAll implementation [1] returns ENOTDIR in most of cases described in #2, with the exception when there is a race between MkdirAll and someone else creating the last component of MkdirAll argument as a file. In this very case MkdirAll() will indeed return EEXIST. Because of #1, IsExist check after MkdirAll is not needed. Because of #2 and #3, ignoring IsExist error is just plain wrong, as directory we require is not created. It's cleaner to report the error now. Note this error is all over the tree, I guess due to copy-paste, or trying to follow the same usage pattern as for Mkdir(), or some not quite correct examples on the Internet. [1] https://github.com/golang/go/blob/f9ed2f75/src/os/path.go Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-09-25 15:39:36 -04:00
return &os.PathError{Op: "mkdir", Path: path, Err: syscall.ENOTDIR}
idtools.MkdirAs*: error out if dir exists as file Standard golang's `os.MkdirAll()` function returns "not a directory" error in case a directory to be created already exists but is not a directory (e.g. a file). Our own `idtools.MkdirAs*()` functions do not replicate the behavior. This is a bug since all `Mkdir()`-like functions are expected to ensure the required directory exists and is indeed a directory, and return an error otherwise. As the code is using our in-house `system.Stat()` call returning a type which is incompatible with that of golang's `os.Stat()`, I had to amend the `system` package with `IsDir()`. A test case is also provided. Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
2017-11-27 16:11:11 -05:00
}
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
if !chownExisting {
return nil
}
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
// short-circuit--we were called with an existing directory and chown was requested
Ensure MkdirAllAndChown also sets perms Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-06 15:30:07 -04:00
return setPermissions(path, mode, owner.UID, owner.GID, stat)
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
}
if os.IsNotExist(err) {
paths = []string{path}
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
}
if mkAll {
// walk back to "/" looking for directories which do not exist
// and add them to the paths array for chown after creation
dirPath := path
for {
dirPath = filepath.Dir(dirPath)
if dirPath == "/" {
break
}
if _, err := os.Stat(dirPath); err != nil && os.IsNotExist(err) {
paths = append(paths, dirPath)
}
}
Allow system.MkDirAll() to be used as drop-in for os.MkDirAll() also renamed the non-windows variant of this file to be consistent with other files in this package Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2019-08-08 05:51:00 -04:00
if err := system.MkdirAll(path, mode); err != nil {
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
return err
}
} else {
if err := os.Mkdir(path, mode); err != nil && !os.IsExist(err) {
return err
}
}
// even if it existed, we will chown the requested path + any subpaths that
// didn't exist when we called MkdirAll
for _, pathComponent := range paths {
Ensure MkdirAllAndChown also sets perms Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-06 15:30:07 -04:00
if err := setPermissions(pathComponent, mode, owner.UID, owner.GID, nil); err != nil {
Correct build-time directory creation with user namespaced daemon This fixes errors in ownership on directory creation during build that can cause inaccessible files depending on the paths in the Dockerfile and non-existing directories in the starting image. Add tests for the mkdir variants in pkg/idtools Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com> (github: estesp)
2015-10-14 14:35:48 -04:00
return err
}
}
return nil
}
Don't start daemon in userns mode if graphdir inaccessible Warn the user and fail daemon start if the graphdir path has any elements which will deny access to the remapped root uid/gid. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-08-23 12:49:13 -04:00
// CanAccess takes a valid (existing) directory and a uid, gid pair and determines
// if that uid, gid pair has access (execute bit) to the directory
Add ADD/COPY --chown flag support to Windows This implements chown support on Windows. Built-in accounts as well as accounts included in the SAM database of the container are supported. NOTE: IDPair is now named Identity and IDMappings is now named IdentityMapping. The following are valid examples: ADD --chown=Guest . <some directory> COPY --chown=Administrator . <some directory> COPY --chown=Guests . <some directory> COPY --chown=ContainerUser . <some directory> On Windows an owner is only granted the permission to read the security descriptor and read/write the discretionary access control list. This fix also grants read/write and execute permissions to the owner. Signed-off-by: Salahuddin Khan <salah@docker.com>
2017-11-16 01:20:33 -05:00
func CanAccess(path string, pair Identity) bool {
Don't start daemon in userns mode if graphdir inaccessible Warn the user and fail daemon start if the graphdir path has any elements which will deny access to the remapped root uid/gid. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-08-23 12:49:13 -04:00
statInfo, err := system.Stat(path)
if err != nil {
return false
}
fileMode := os.FileMode(statInfo.Mode())
permBits := fileMode.Perm()
Partial refactor of UID/GID usage to use a unified struct. Signed-off-by: Daniel Nephin <dnephin@docker.com>
2017-05-19 18:06:46 -04:00
return accessible(statInfo.UID() == uint32(pair.UID),
statInfo.GID() == uint32(pair.GID), permBits)
Don't start daemon in userns mode if graphdir inaccessible Warn the user and fail daemon start if the graphdir path has any elements which will deny access to the remapped root uid/gid. Docker-DCO-1.1-Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-08-23 12:49:13 -04:00
}
func accessible(isOwner, isGroup bool, perms os.FileMode) bool {
if isOwner && (perms&0100 == 0100) {
return true
}
if isGroup && (perms&0010 == 0010) {
return true
}
if perms&0001 == 0001 {
return true
}
return false
}
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
// LookupUser uses traditional local system files lookup (from libcontainer/user) on a username,
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func LookupUser(name string) (user.User, error) {
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
// first try a local system files lookup using existing capabilities
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
usr, err := user.LookupUser(name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err == nil {
return usr, nil
}
// local files lookup failed; attempt to call `getent` to query configured passwd dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
usr, err = getentUser(name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err != nil {
return user.User{}, err
}
return usr, nil
}
// LookupUID uses traditional local system files lookup (from libcontainer/user) on a uid,
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
func LookupUID(uid int) (user.User, error) {
// first try a local system files lookup using existing capabilities
usr, err := user.LookupUid(uid)
if err == nil {
return usr, nil
}
// local files lookup failed; attempt to call `getent` to query configured passwd dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return getentUser(strconv.Itoa(uid))
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func getentUser(name string) (user.User, error) {
reader, err := callGetent("passwd", name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err != nil {
return user.User{}, err
}
users, err := user.ParsePasswd(reader)
if err != nil {
return user.User{}, err
}
if len(users) == 0 {
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return user.User{}, fmt.Errorf("getent failed to find passwd entry for %q", name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
return users[0], nil
}
// LookupGroup uses traditional local system files lookup (from libcontainer/user) on a group name,
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func LookupGroup(name string) (user.Group, error) {
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
// first try a local system files lookup using existing capabilities
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
group, err := user.LookupGroup(name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err == nil {
return group, nil
}
// local files lookup failed; attempt to call `getent` to query configured group dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return getentGroup(name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
// LookupGID uses traditional local system files lookup (from libcontainer/user) on a group ID,
// followed by a call to `getent` for supporting host configured non-files passwd and group dbs
func LookupGID(gid int) (user.Group, error) {
// first try a local system files lookup using existing capabilities
group, err := user.LookupGid(gid)
if err == nil {
return group, nil
}
// local files lookup failed; attempt to call `getent` to query configured group dbs
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return getentGroup(strconv.Itoa(gid))
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func getentGroup(name string) (user.Group, error) {
reader, err := callGetent("group", name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err != nil {
return user.Group{}, err
}
groups, err := user.ParseGroup(reader)
if err != nil {
return user.Group{}, err
}
if len(groups) == 0 {
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return user.Group{}, fmt.Errorf("getent failed to find groups entry for %q", name)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
return groups[0], nil
}
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func callGetent(database, key string) (io.Reader, error) {
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
entOnce.Do(func() { getentCmd, _ = resolveBinary("getent") })
// if no `getent` command on host, can't do anything else
if getentCmd == "" {
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return nil, fmt.Errorf("unable to find getent command")
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
}
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
out, err := execCmd(getentCmd, database, key)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if err != nil {
Remove use of pkg/integration in pkg/idtools This remove a dependency on `go-check` (and more) when using `pkg/idtools`. `pkg/integration` should never be called from any other package then `integration`. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
2016-11-08 11:21:02 -05:00
exitCode, errC := system.GetExitCode(err)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
if errC != nil {
return nil, err
}
switch exitCode {
case 1:
return nil, fmt.Errorf("getent reported invalid parameters/database unknown")
case 2:
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return nil, fmt.Errorf("getent unable to find entry %q in %s database", key, database)
Add support for looking up user/groups via `getent` When processing the --userns-remap flag, add the capability to call out to `getent` if the user and group information is not found via local file parsing code already in libcontainer/user. Signed-off-by: Phil Estes <estesp@linux.vnet.ibm.com>
2016-10-20 15:43:42 -04:00
case 3:
return nil, fmt.Errorf("getent database doesn't support enumeration")
default:
return nil, err
}
}
return bytes.NewReader(out), nil
}
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
Ensure MkdirAllAndChown also sets perms Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-06 15:30:07 -04:00
// setPermissions performs a chown/chmod only if the uid/gid don't match what's requested
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
// Normally a Chown is a no-op if uid/gid match, but in some cases this can still cause an error, e.g. if the
// dir is on an NFS share, so don't call chown unless we absolutely must.
Ensure MkdirAllAndChown also sets perms Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-06 15:30:07 -04:00
// Likewise for setting permissions.
func setPermissions(p string, mode os.FileMode, uid, gid int, stat *system.StatT) error {
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
if stat == nil {
var err error
stat, err = system.Stat(p)
if err != nil {
return err
}
}
Ensure MkdirAllAndChown also sets perms Generally if we ever need to change perms of a dir, between versions, this ensures the permissions actually change when we think it should change without having to handle special cases if it already existed. Signed-off-by: Brian Goff <cpuguy83@gmail.com> (cherry picked from commit edb62a3ace8c4303822a391b38231e577f8c2ee8) Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-10-06 15:30:07 -04:00
if os.FileMode(stat.Mode()).Perm() != mode.Perm() {
if err := os.Chmod(p, mode.Perm()); err != nil {
return err
}
}
idtools don't chown if not needed In some cases (e.g. NFS), a chown may technically be a no-op but still return `EPERM`, so only call `chown` when neccessary. This is particularly problematic for docker users bind-mounting an NFS share into a container. Signed-off-by: Brian Goff <cpuguy83@gmail.com>
2017-10-02 09:47:09 -04:00
if stat.UID() == uint32(uid) && stat.GID() == uint32(gid) {
return nil
}
return os.Chown(p, uid, gid)
}
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
// NewIdentityMapping takes a requested username and
// using the data from /etc/sub{uid,gid} ranges, creates the
// proper uid and gid remapping ranges for that user/group pair
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
func NewIdentityMapping(name string) (*IdentityMapping, error) {
usr, err := LookupUser(name)
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
if err != nil {
pkg/idtools: refactor to avoid string-splitting The package used a lot of string-formatting, followed by string-splitting. This looked to originate from attempts to use templating to allow future extensibility (9a3ab0358ecd657e3754677ff52250fd6cca4422). Looking at the history of the package, only a single update was made to these templates, 5 years go, which makes it unlikely that more templating will be needed. This patch simplifies the handling of arguments to use `[]string` instead of a single `string` (and splitting to a `[]string`). This both simplifies the code somewhat, and prevents user/group-names containing spaces to be splitted (causing, e.g. `getent` to fail). Note that user/group-names containing spaces are invalid (or at least discouraged), there are situations where such names may be used, so we should avoid breaking on such names. Before this change, a user/group name with a space in its name would fail; dockerd --userns-remap="user:domain users" INFO[2020-08-19T10:26:59.288868661+02:00] Starting up Error during groupname lookup for "domain users": getent unable to find entry "domain" in group database With this change: # Add some possibly problematic usernames for testing # need to do this manually, as `adduser` / `useradd` won't accept these names echo 'user name:x:1002:1002::/home/one:/bin/false' >> /etc/passwd; \ echo 'user name:x:1002:' >> /etc/group; \ echo 'user name:1266401166:65536' >> /etc/subuid; \ echo 'user name:1266401153:65536' >> /etc/subgid; \ echo 'user$HOME:x:1003:1003::/home/one:/bin/false' >> /etc/passwd; \ echo 'user$HOME:x:1003:' >> /etc/group; \ echo 'user$HOME:1266401166:65536' >> /etc/subuid; \ echo 'user$HOME:1266401153:65536' >> /etc/subgid; \ echo 'user'"'"'name:x:1004:1004::/home/one:/bin/false' >> /etc/passwd; \ echo 'user'"'"'name:x:1004:' >> /etc/group; \ echo 'user'"'"'name:1266401166:65536' >> /etc/subuid; \ echo 'user'"'"'name:1266401153:65536' >> /etc/subgid; \ echo 'user"name:x:1005:1005::/home/one:/bin/false' >> /etc/passwd; \ echo 'user"name:x:1005:' >> /etc/group; \ echo 'user"name:1266401166:65536' >> /etc/subuid; \ echo 'user"name:1266401153:65536' >> /etc/subgid; # Start the daemon using those users dockerd --userns-remap="user name:user name" dockerd --userns-remap='user$HOME:user$HOME' dockerd --userns-remap="user'name":"user'name" dockerd --userns-remap='user"name':'user"name' Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
2020-08-20 04:40:06 -04:00
return nil, fmt.Errorf("Could not get user for username %s: %v", name, err)
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
subuidRanges, err := lookupSubUIDRanges(usr)
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
if err != nil {
return nil, err
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
subgidRanges, err := lookupSubGIDRanges(usr)
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
if err != nil {
return nil, err
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
return &IdentityMapping{
uids: subuidRanges,
gids: subgidRanges,
}, nil
}
func lookupSubUIDRanges(usr user.User) ([]IDMap, error) {
rangeList, err := parseSubuid(strconv.Itoa(usr.Uid))
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
if err != nil {
return nil, err
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
if len(rangeList) == 0 {
rangeList, err = parseSubuid(usr.Name)
if err != nil {
return nil, err
}
}
if len(rangeList) == 0 {
return nil, errors.Errorf("no subuid ranges found for user %q", usr.Name)
}
return createIDMap(rangeList), nil
}
func lookupSubGIDRanges(usr user.User) ([]IDMap, error) {
rangeList, err := parseSubgid(strconv.Itoa(usr.Uid))
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
if err != nil {
return nil, err
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
if len(rangeList) == 0 {
rangeList, err = parseSubgid(usr.Name)
if err != nil {
return nil, err
}
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
if len(rangeList) == 0 {
return nil, errors.Errorf("no subgid ranges found for user %q", usr.Name)
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
}
Fix userns-remap option when username & UID match Signed-off-by: Grant Millar <rid@cylo.io>
2021-02-09 11:13:35 -05:00
return createIDMap(rangeList), nil
remove group name from identity mapping NewIdentityMapping took group name as an argument, and used the group name also to parse the /etc/sub{uid,gui}. But as per linux man pages, the sub{uid,gid} file maps username or uid, not a group name. Therefore, all occurrences where mapping is used need to consider only username and uid. Code trying to map using gid and group name in the daemon is also removed. Signed-off-by: Akhil Mohan <akhil.mohan@mayadata.io>
2020-05-24 09:29:06 -04:00
}
Copy permalink