1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From 1f6c35b28ece31f998ea28704968f032636afe0a Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Fri, 28 Oct 2022 14:06:24 +0200
Subject: [PATCH] unshare: fix creating a userns when running as root
this check would prevent the function to ever be used when running
as root, since we won't check what capabilities are currently
available to the process.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
(cherry picked from commit 1af3928e9bf16d9c39d3d60bf3ec6bb7167989a6)
pkg/unshare/unshare_linux.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Note: This matters when invoking the process (typically podman or buildah)
as root but without CAP_SYS_ADMIN.
diff --git a/pkg/unshare/unshare_linux.go b/pkg/unshare/unshare_linux.go
index 3fc36201c5..c26dedb398 100644
@@ -448,7 +448,7 @@ type Runnable interface {
// MaybeReexecUsingUserNamespace re-exec the process in a new namespace
func MaybeReexecUsingUserNamespace(evenForRoot bool) {
// If we've already been through this once, no need to try again.
- if os.Geteuid() == 0 && IsRootless() {
+ if os.Geteuid() == 0 && GetRootlessUID() > 0 {
return
}
|
