Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

additional_gids ignored on exec #644

Closed
owtaylor opened this issue Apr 9, 2021 · 0 comments · Fixed by #645
Closed

additional_gids ignored on exec #644

owtaylor opened this issue Apr 9, 2021 · 0 comments · Fixed by #645

Comments

@owtaylor
Copy link
Contributor

owtaylor commented Apr 9, 2021

When setting up gids for for exec, the user: {} definition in the process spec is ignored and the one in the container is used instead. See containers/podman#9986 for a reproducer with podman.

Will file a pull request with an attempt at a fix for the problem.
owtaylor added a commit to owtaylor/crun that referenced this issue Apr 9, 2021
@owtaylor
On exec, honor additional_gids from the process spec, not the contain…
9effaeb 
…er definition

The code was using the process defined in the container definition to find additional_gids,
not the one passed on the command line or created by default.

Fixes containers#644

Signed-off-by: Owen W. Taylor <otaylor@fishsoup.net>
@owtaylor owtaylor mentioned this issue Apr 9, 2021
Merged
This was referenced Feb 5, 2024
Closed
Closed
Merged
debarshiray added a commit to debarshiray/toolbox that referenced this issue Feb 8, 2024
@debarshiray
test/system: Ensure that process started by 'podman exec' has all groups
127b6b7 
Commit 15173f8 exposed a bug in crun(1) [1] where the process
started directly by 'podman exec --user ...' inside the Toolbx container
would not have the supplementary groups that the user is a member of.

This could be observed by differences in id(1):
  ⬢$ id
  uid=1000(user) gid=1000(user) groups=1000(user)
  ⬢$ id user
  uid=1000(user) gid=1000(user) groups=1000(user),10(wheel)

... and could be worked around by starting a new session with sudo(8).

[1] crun commit 9effaebb429a1aed
    containers/crun@9effaebb429a1aed
    containers/crun#644
    containers/podman#9986

containers#608
debarshiray added a commit to debarshiray/toolbox that referenced this issue Feb 9, 2024
@debarshiray
test/system: Ensure that process started by 'podman exec' has all groups
641b04a 
Commit 15173f8 exposed a bug in crun(1) [1] where the process
started directly by 'podman exec --user ...' inside the Toolbx container
would not have the supplementary groups attached to the user by the
entry point.

This could be observed by differences in id(1):
  ⬢$ id
  uid=1000(user) gid=1000(user) groups=1000(user)
  ⬢$ id user
  uid=1000(user) gid=1000(user) groups=1000(user),10(wheel)

... and could be worked around by starting a new session with sudo(8).

[1] crun commit 9effaebb429a1aed
    containers/crun@9effaebb429a1aed
    containers/crun#644
    containers/podman#9986

containers#608
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

On exec, honor additional_gids from the process spec owtaylor/crun
1 participant
@owtaylor