Skip to content

Commit

Permalink
reduce the chance of parsing /etc/passwd & /etc/group
Browse files Browse the repository at this point in the history
Signed-off-by: lifubang <[email protected]>
  • Loading branch information
lifubang committed Sep 28, 2023
1 parent 4d948b1 commit 42d0004
Show file tree
Hide file tree
Showing 3 changed files with 49 additions and 23 deletions.
52 changes: 39 additions & 13 deletions libcontainer/init_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -440,35 +440,61 @@ func syncParentSeccomp(pipe *os.File, seccompFd *os.File) error {
return readSync(pipe, procSeccompDone)
}

// setupUser changes the groups, gid, and uid for the user inside the container
func setupUser(config *initConfig) error {
func getExecUser(userAndGroup string) (*user.ExecUser, error) {
// Set up defaults.
defaultExecUser := user.ExecUser{
Uid: 0,
Gid: 0,
Home: "/",
}

passwdPath, err := user.GetPasswdPath()
if err != nil {
return err
}
u := strings.SplitN(userAndGroup, ":", 2)

groupPath, err := user.GetGroupPath()
if err != nil {
return err
// len(u) == 1 means there is no group id, we should try to get the supplementary group IDs.
if len(u) == 1 || u[0] == "" || os.Getenv("HOME") == "" {
passwdPath, err := user.GetPasswdPath()
if err != nil {
return nil, err
}

groupPath, err := user.GetGroupPath()
if err != nil {
return nil, err
}

return user.GetExecUserPath(userAndGroup, &defaultExecUser, passwdPath, groupPath)
} else {

Check warning on line 466 in libcontainer/init_linux.go

View workflow job for this annotation

GitHub Actions / lint

indent-error-flow: if block ends with a return statement, so drop this else and outdent its block (revive)
uid, err := strconv.Atoi(u[0])
if err != nil {
return nil, err
}
gid, err := strconv.Atoi(u[1])
if err != nil {
return nil, err
}
return &user.ExecUser{
Uid: uid,
Gid: gid,
Home: os.Getenv("HOME"),
}, nil
}
}

execUser, err := user.GetExecUserPath(config.User, &defaultExecUser, passwdPath, groupPath)
// setupUser changes the groups, gid, and uid for the user inside the container

Check failure on line 483 in libcontainer/init_linux.go

View workflow job for this annotation

GitHub Actions / lint

Comment should end in a period (godot)
func setupUser(config *initConfig) error {
execUser, err := getExecUser(config.User)
if err != nil {
return err
}

var addGroups []int
if len(config.AdditionalGroups) > 0 {
addGroups, err = user.GetAdditionalGroupsPath(config.AdditionalGroups, groupPath)
if err != nil {
return err
for _, group := range config.AdditionalGroups {
gid, err := strconv.Atoi(group)
if err != nil {
return err
}
addGroups = append(addGroups, gid)
}
}

Expand Down
10 changes: 5 additions & 5 deletions libcontainer/integration/exec_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -395,7 +395,7 @@ func TestAdditionalGroups(t *testing.T) {
Env: standardEnvironment,
Stdin: nil,
Stdout: &stdout,
AdditionalGroups: []string{"plugdev", "audio"},
AdditionalGroups: []string{"1", "2"},
Init: true,
}
err = container.Run(&pconfig)
Expand All @@ -407,12 +407,12 @@ func TestAdditionalGroups(t *testing.T) {
outputGroups := stdout.String()

// Check that the groups output has the groups that we specified
if !strings.Contains(outputGroups, "audio") {
t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
if !strings.Contains(outputGroups, "1") {
t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
}

if !strings.Contains(outputGroups, "plugdev") {
t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
if !strings.Contains(outputGroups, "2") {
t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
}
}

Expand Down
10 changes: 5 additions & 5 deletions libcontainer/integration/execin_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -162,7 +162,7 @@ func TestExecInAdditionalGroups(t *testing.T) {
Env: standardEnvironment,
Stdin: nil,
Stdout: &stdout,
AdditionalGroups: []string{"plugdev", "audio"},
AdditionalGroups: []string{"1", "2"},
}
err = container.Run(&pconfig)
ok(t, err)
Expand All @@ -176,12 +176,12 @@ func TestExecInAdditionalGroups(t *testing.T) {
outputGroups := stdout.String()

// Check that the groups output has the groups that we specified
if !strings.Contains(outputGroups, "audio") {
t.Fatalf("Listed groups do not contain the audio group as expected: %v", outputGroups)
if !strings.Contains(outputGroups, "1") {
t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
}

if !strings.Contains(outputGroups, "plugdev") {
t.Fatalf("Listed groups do not contain the plugdev group as expected: %v", outputGroups)
if !strings.Contains(outputGroups, "2") {
t.Fatalf("Listed groups do not contain the group as expected: %v", outputGroups)
}
}

Expand Down

0 comments on commit 42d0004

Please sign in to comment.