Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix permission on secrets directory #12813

Merged
merged 1 commit into from
Jan 12, 2022

Conversation

rhatdan
Copy link
Member

@rhatdan rhatdan commented Jan 11, 2022

This directory needs to be world searchable so users can access it from
different user namespaces.

Fixes: #12779

Signed-off-by: Daniel J Walsh dwalsh@redhat.com

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 11, 2022
@rhatdan
Copy link
Member Author

rhatdan commented Jan 11, 2022

@ashley-cui @containers/podman-maintainers PTAL

Copy link
Member

@edsantiago edsantiago left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor quibbles, none of them showstoppers, but the missing tmpfile cleanup is enough to make me request a re-push. (The others, up to you).

run_podman secret create ${test_name} ${secret_file}
run_podman run --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
is ${output} ${secret_content} "Secrets should work with user namespace"
run_podman rm --all --force
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just run --rm in line 93?

egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
fi
test_name="test_$(random_string 12)"
secret_file="/tmp/secret$(random_string 12)"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you use secret_file=$PODMAN_TMPDIR/secret$(random_string 12) you don't have to rm -f $secret_file at the end.

egrep -q "^$(id -un):" /etc/subuid || skip "no IDs allocated for current user"
else
egrep -q "^containers:" /etc/subuid || skip "no IDs allocated for user 'containers'"
fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very minor duplication-avoiding suggestion:

    ns_user="containers"
    if is_rootless then
        ns_user=$(id -un)
    fi
    egrep -q "$ns_user:" /etc/subuid || skip "no IDs allocated for user '$ns_user'"

if is_rootless; then
ns_user=$(id -un)
fi
egrep -q "ns_user:" /etc/subuid || skip "no IDs allocated for current user"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing dollar sign, should be $ns_user

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, and can you change current user to user '$ns_user'?

secret_content=$(random_string)
echo ${secret_content} > ${secret_file}
run_podman secret create ${test_name} ${secret_file}
run_podman run -rm --secret=${test_name} --userns=auto:size=1000 $IMAGE cat /run/secrets/${test_name}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more: it should be --rm (two dashes, not one)

This directory needs to be world searchable so users can access it from
different user namespaces.

Fixes: containers#12779

Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
Copy link
Member

@ashley-cui ashley-cui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@TomSweeneyRedHat
Copy link
Member

Changes LGTM, but the test failure doesn't look to be a flake.

@edsantiago
Copy link
Member

Rebase needed to fix buildah-bud tests; see #12818 for details.

@flouthoc
Copy link
Collaborator

/lgtm
/approve

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 12, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 12, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, flouthoc, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [edsantiago,flouthoc,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 12, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: edsantiago, flouthoc, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [edsantiago,flouthoc,rhatdan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit 6945b37 into containers:main Jan 12, 2022
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Sep 22, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 22, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Cannot give secret to container running in user namespace
6 participants