From 393027d1b12633d23a276a3779346ae6e08e4820 Mon Sep 17 00:00:00 2001 From: Nicolas De Loof Date: Thu, 2 Jun 2022 11:30:15 +0200 Subject: [PATCH 1/2] AdditionalGids must include effective group ID otherwise this one won't be considered for permission checks Signed-off-by: Nicolas De Loof (cherry picked from commit 25345f2c04b2691406d683034d21bb5e51ea982c) Signed-off-by: Sebastiaan van Stijn --- daemon/oci_linux.go | 1 + 1 file changed, 1 insertion(+) diff --git a/daemon/oci_linux.go b/daemon/oci_linux.go index 8deeed2b86..cbf6342368 100644 --- a/daemon/oci_linux.go +++ b/daemon/oci_linux.go @@ -198,6 +198,7 @@ func getUser(c *container.Container, username string) (specs.User, error) { } usr.UID = uint32(execUser.Uid) usr.GID = uint32(execUser.Gid) + usr.AdditionalGids = []uint32{usr.GID} var addGroups []int if len(c.HostConfig.GroupAdd) > 0 { From 366d551cd26362304f2580737fa1cec28da92359 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Thu, 8 Sep 2022 23:27:59 +0200 Subject: [PATCH 2/2] Update some tests for supplementary group permissions Update tests checking for groups to adjust for new policy updated in de7af816e76a7fd3fbf06bffa6832959289fba32, which caused those tests to fail: === FAIL: amd64.integration-cli TestDockerSwarmSuite/TestSwarmServiceWithGroup (1.94s) docker_cli_swarm_test.go:311: assertion failed: uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777 (string) != uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777 (string) --- FAIL: TestDockerSwarmSuite/TestSwarmServiceWithGroup (1.94s) === FAIL: amd64.integration-cli TestDockerCLIRunSuite/TestRunGroupAdd (0.41s) docker_cli_run_test.go:1091: expected output uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777 received uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777 --- FAIL: TestDockerCLIRunSuite/TestRunGroupAdd (0.41s) === FAIL: amd64.integration-cli TestDockerCLIRunSuite/TestRunUserByIDZero (0.41s) docker_cli_run_test.go:790: expected daemon user got uid=0(root) gid=0(root) groups=0(root),10(wheel) --- FAIL: TestDockerCLIRunSuite/TestRunUserByIDZero (0.41s) === FAIL: amd64.integration-cli TestDockerCLIRunSuite (195.70s) Signed-off-by: Sebastiaan van Stijn (cherry picked from commit c7e77dba7ff1e512d702dc434d8d2bb956d80f47) Signed-off-by: Sebastiaan van Stijn --- integration-cli/docker_cli_run_test.go | 4 ++-- integration-cli/docker_cli_swarm_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go index c0780a1579..9643833e39 100644 --- a/integration-cli/docker_cli_run_test.go +++ b/integration-cli/docker_cli_run_test.go @@ -786,7 +786,7 @@ func (s *DockerCLIRunSuite) TestRunUserByIDZero(c *testing.T) { if err != nil { c.Fatal(err, out) } - if !strings.Contains(out, "uid=0(root) gid=0(root) groups=10(wheel)") { + if !strings.Contains(out, "uid=0(root) gid=0(root) groups=0(root),10(wheel)") { c.Fatalf("expected daemon user got %s", out) } } @@ -1086,7 +1086,7 @@ func (s *DockerCLIRunSuite) TestRunGroupAdd(c *testing.T) { testRequires(c, DaemonIsLinux) out, _ := dockerCmd(c, "run", "--group-add=audio", "--group-add=staff", "--group-add=777", "busybox", "sh", "-c", "id") - groupsList := "uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777" + groupsList := "uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777" if actual := strings.Trim(out, "\r\n"); actual != groupsList { c.Fatalf("expected output %s received %s", groupsList, actual) } diff --git a/integration-cli/docker_cli_swarm_test.go b/integration-cli/docker_cli_swarm_test.go index dd35e0f749..fad82fc702 100644 --- a/integration-cli/docker_cli_swarm_test.go +++ b/integration-cli/docker_cli_swarm_test.go @@ -308,7 +308,7 @@ func (s *DockerSwarmSuite) TestSwarmServiceWithGroup(c *testing.T) { out, err = d.Cmd("exec", container, "id") assert.NilError(c, err, out) - assert.Equal(c, strings.TrimSpace(out), "uid=0(root) gid=0(root) groups=10(wheel),29(audio),50(staff),777") + assert.Equal(c, strings.TrimSpace(out), "uid=0(root) gid=0(root) groups=0(root),10(wheel),29(audio),50(staff),777") } func (s *DockerSwarmSuite) TestSwarmContainerAutoStart(c *testing.T) {