On Thu, Apr 22, 2021 at 11:18 AM Giuseppe Scrivano <gscrivan@xxxxxxxxxx> wrote: > thanks for the feedback. We are still facing the issue with rootless > Podman, and these patches (listed here so you won't need to dig into archives): > > https://github.com/giuseppe/linux/commit/7e0701b389c497472d11fab8570c153a414050af > https://github.com/giuseppe/linux/commit/1c5fe726346b216293a527719e64f34e6297f0c2 > > would solve the issue for us as well and we can use setgroups within a > user namespace in a safe way. > > Any comments on this approach? Could we move forward with it? > I rebased and built your changes on top of v5.10, patched our tool to burn "shadow" into /proc/self/setgroups, and it's working beautifully: $ id uid=1000(snaipe) gid=1000(snaipe) groups=1000(snaipe),998(wheel) $ bst grep . /proc/self/uid_map /proc/self/gid_map /proc/self/setgroups /proc/self/uid_map: 0 1000 1 /proc/self/uid_map: 1 100000 65536 /proc/self/gid_map: 0 1000 1 /proc/self/gid_map: 1 100000 65536 /proc/self/setgroups:shadow $ ls -l total 8 drwxr-xr-x 2 root wheel 4096 Apr 23 14:18 allowed drwx---r-x 2 root wheel 4096 Apr 23 14:18 denied $ bst sh -c 'id; ls allowed denied' uid=0(root) gid=0(root) groups=0(root) allowed: ls: cannot open directory 'denied': Permission denied $ bst --groups 1 sh -c 'id; ls allowed denied' uid=0(root) gid=0(root) groups=0(root),1(daemon) allowed: ls: cannot open directory 'denied': Permission denied -- Snaipe _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
