1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
|
//go:build linux || freebsd
package integration
import (
"fmt"
. "github.com/containers/podman/v5/test/utils"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)
var _ = Describe("Podman run passwd", func() {
It("podman run no user specified ", func() {
session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
})
It("podman run user specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "bin", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
})
It("podman run UID specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "2:1", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
})
It("podman run UID not specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:1", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(ContainSubstring("passwd"))
})
It("podman can run container without /etc/passwd", func() {
dockerfile := fmt.Sprintf(`FROM %s
RUN rm -f /etc/passwd /etc/shadow /etc/group
USER 1000`, ALPINE)
imgName := "testimg"
podmanTest.BuildImage(dockerfile, imgName, "false")
session := podmanTest.Podman([]string{"run", "--passwd=false", "--rm", imgName, "ls", "/etc/"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("passwd")))
// test that the /etc/passwd file is created
session = podmanTest.Podman([]string{"run", "--rm", "--user", "0:0", imgName, "ls", "/etc/passwd"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
})
It("podman run with no user specified does not change --group specified", func() {
session := podmanTest.Podman([]string{"run", "--read-only", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
})
It("podman run group specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:bin", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
})
It("podman run non-numeric group not specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:doesnotexist", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).To(ExitWithError(126, "unable to find group doesnotexist: no matching entries in group file"))
})
It("podman run numeric group specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "root:11", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
})
It("podman run numeric group not specified in container", func() {
session := podmanTest.Podman([]string{"run", "--read-only", "-u", "20001:20001", BB, "mount"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(ContainSubstring("/etc/group"))
})
It("podman run numeric group from image and no group file", func() {
dockerfile := fmt.Sprintf(`FROM %s
RUN rm -f /etc/passwd /etc/shadow /etc/group
USER 1000`, ALPINE)
imgName := "testimg"
podmanTest.BuildImage(dockerfile, imgName, "false")
session := podmanTest.Podman([]string{"run", "--rm", imgName, "ls", "/etc/"})
session.WaitWithDefaultTimeout()
Expect(session).Should(ExitCleanly())
Expect(session.OutputToString()).To(Not(ContainSubstring("/etc/group")))
})
It("podman run --no-manage-passwd flag", func() {
run := podmanTest.Podman([]string{"run", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
Expect(run.OutputToString()).To(ContainSubstring("1234:1234"))
run = podmanTest.Podman([]string{"run", "--passwd=false", "--user", "1234:1234", ALPINE, "cat", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
Expect(run.OutputToString()).NotTo(ContainSubstring("1234:1234"))
})
It("podman run --passwd-entry flag", func() {
// Test that the line we add doesn't contain anything else than what is specified
run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--passwd-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "-w", "/etc", "--passwd-entry=$UID-$GID-$NAME-$HOME-$USERNAME", ALPINE, "cat", "/etc/passwd"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
Expect(run.OutputToString()).To(ContainSubstring("12345-12346-container user-/etc-12345"))
})
It("podman run --group-entry flag", func() {
// Test that the line we add doesn't contain anything else than what is specified
run := podmanTest.Podman([]string{"run", "--user", "1234:1234", "--group-entry=FOO", ALPINE, "grep", "^FOO$", "/etc/group"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
run = podmanTest.Podman([]string{"run", "--user", "12345:12346", "--group-entry=$GID", ALPINE, "tail", "/etc/group"})
run.WaitWithDefaultTimeout()
Expect(run).Should(ExitCleanly())
Expect(run.OutputToString()).To(ContainSubstring("12346"))
})
})
|
